Ever since then I refused to install native versions of apps that could be used in a browser. I don't use Facebook or Instagram so I don't know if that works anymore, and I recall testing that they were intentionally crippling Facebook Messenger at one point.
Then the past decade of native apps requesting tons of permissions and users just clicking agree. Why should Facebook be able to read my Wi-Fi network or Bluetooth? Of course there is something shady going on. Beacons tracking people walking around brick and mortar stores. https://en.wikipedia.org/wiki/Facebook_Bluetooth_Beacon
Such a shame because native apps are so much more pleasant and performant to use than web apps.
> they were intentionally crippling Facebook Messenger at one point [in a browser]
They were/did. I was using Messenger Lite for a bit which was ok, but they killed that and the mobile browser mode.
I still need FB for some events and contacts, but I refuse to have the fat messenger app installed so now I end up using the damn thing in desktop mode which is ... painful.
All I seem to see in my feed these days is "suggested for you" so it's a lot less addictive than it was back in the day. Not sure why they're so determined to drive the user base away, but that does seem to be the plan.
Web apps have been sabotaged so severely for years now, and it really peeves me. Half the time they bombard the UI with "use the app!!1" popups and the other half of the time they just don't work.
The worst part is that a lot of native apps these days are just web views. You can't even be bother to use the native UI toolkit and you expect me to download your app? If this is just safari with extra steps then let me use safari!
It stuns me that eBay is so determined to get you to use the app that they will divert someone who has landed on the site and started typing a search term presumably with the explicit intention of buying something in order to sell them on the idea of installing an app instead!
Just ... let me give you money without interrupting me ... please?
I felt a prude at the time but eschewed native apps for browser versions and haven't regretted. Didn't benefit from notification distraction anyway. Apple and Google just didn't get their houses in order to be taken seriously.
There is another can of worms hidden in plain sight right here, I feel like.
From the article:
You’re not affected if (and only if)
You access Facebook and Instagram via the web, without having the apps installed on your phone
This is only what's observably true of a particular app under the hood from straightforwardly jacking into it with Frida or performing any other deeper analysis.
What's to say Meta/Google/OtherAnalyticsCorp/OtherMegaCorp hasn't already, on a large scale, colluded with[bought out] app developers to simply share session data out-of-band as another tentacle?
Rather, is it even reasonable to assume they all haven't been doing this all this time? (Maybe these also fall squarely under what GDPR, DSA, and DMA were supposed to mitigate? I'm not an expert here.. just my cynicism kicking in.)
I too go through fairly great pains to try to minimize unneeded apps on my device.
>I refused to install native versions of apps that could be used in a browser.
Same. After AT&T force obsolesced my perfectly working phone back in February 2022 (it had the bands but they simply didn't want to support it!) I kept it as a dedicated app phone. No web browsing, no stored credentials or cookies, just an app sandbox.
Sending a ray of diarrhea to companies who force us to use apps instead of web. I'm looking at you, Chipotle.
This system was designed and implemented by engineers who committed code in a source control system with their name attached, and the changes were requested by product managers in tickets in the ticketing system with their name attached. Those engineers and product managers should be personally liable for an equivalent % of their annual salary as Facebook is liable for a % of its annual revenue.
Sounds like the modern version of the CS Lewis quote:
> The greatest evil is not now done in those sordid dens of crime that Dickens loved to paint. It is not done even in concentration camps and labour camps. In those we see its final result. But it is conceived and ordered (moved, seconded, carried, and minuted) in clean, carpeted, warmed and well-lighted offices, by quiet men with white collars and cut fingernails and smooth-shaven cheeks who do not need to raise their voices.
I like the idea, but I see no reason to shield the management that demanded this of the rank and file. Accountability should go all the way up the chain.
Yes, but it should include everyone involved, from top to bottom. We won't get those data theft misfeatures if engineers refused to work on them out of personal liability.
I dont think we should fine any of the people that worked on it. In the end the decision makers are the ones being paid to be responsible so they should be held responsible.
However, there is a conversation to be had about engineers writing code that they fully know is illegal. Imo there should be a punishment for staying complicit and not reporting it to the authorities.
Like that time Volkswagen components detected when they were under test and performed differently.
I think assuming engineers know about the legality of some of these features is a far fetch. Pixel tracking has been a thing for more than a decade now, Google does it, Meta does it and theyre but the two biggest players but a lot of companies track and read cookies for personalization reasons. It may feel wrong but it is hard to blame an engineer for thinking of it as just another normal feature. The PMs, Managers and leadership should be responsible for this but at Meta, Managers are trackers and slave masters, not thinkers. Features are to be delivered fast, there is no room to think and plan. Metrics rule everything even when they are clearly evil.
Its unethical for sure, seems like some engineers will do anything for their salary,
but if they don't do it somebody else will and it is an exciting technical challenge.
Its better to blame the management and higher ups or zuck himself directly. Blame the people who finance it and profit from it, not the people who coded it. Follow the money
> Its unethical for sure, seems like some engineers will do anything for their salary, but if they don't do it somebody else will and it is an exciting technical challenge.
I remember finding this out as a very junior engineer straight out of university. I was once asked to write code to cheat at a benchmark to make my company's product look better than it actually was. I had deep misgivings about this, but as a brand new junior developer, I was very hesitant to speak up. Eventually I told my manager I didn't feel comfortable with the ethics of working on that project, and he was totally cool with it! He said "No problem, we'll take that task out of your queue and give it to "Jim", he'll do it instead." Jim was thrilled and wrote the benchmarking cheating code himself.
This is such an incredibly bad (ignorant and/or malicious) idea in so many ways, chief of which is the incredible power asymmetry between bosses and subordinates in Facebook (and most other companies).
They would fine them by having a court case and saying they are guilty and owe money. Collecting on it would be awfully difficult, but you know, people do like trips to Europe.
That said, I think fining the company seems pretty plausible. They won't, but it'd be nice if they did.
This is the company that abetted genocide in Burma. Their programmers are outside EU jurisdiction. You expect them to do anything other than pay the fine, shrug, and continue to set the world on fire?
Yeah and let's take away the income from the PMs and Engineers and leave the people who actually call the shots unharmed.
Once I worked at a place that actually made a calculation of how much an outage costed to the company and gave it to the engineers who resolved the issue to "think" about how bad they were.
Very impressive but not surprising coming from Meta. They have an history of doing this kind of things.
Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
At this point, I think the race for Zuckerberg is, can Meta survive long enough for the next platform shift (AR or VR) where they will own one of the major platforms and won't need to abide by any reasonable rules before their "internet tentacles" that sustain the Ad Machine are cut off.
My bet is they will make it. Though I don't wish it, they're on track.
Companies have been trying to make AR/VR the next platform shift but I'm not super convinced that people actually want or desire this outside of a few niche games. To me it feels like it has about as much staying power as 3D glasses in movies.
idk, I would absolutely jump on AR glasses that offered reasonable hands free interaction (even via a smartwatch or something) and didn't look awful. AI might enable that, actually, but we'll see.
> Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
Incorrect. An Israeli startup (Onavo) had pivoted into selling data acquired from their VPN got acquired by Facebook. Importantly, they used statistics to estimate population prevalence which is how FB knew that Whatsapp (specifically, this was all post IG acquisition) was super popular outside the US.
> They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
This was (sadly) an entirely different scandal.
Honestly, I generally defend Meta/targeted advertising in these threads, but this one is such incredible, total, absolute bullshit that I can't even begin to comprehend how one could defend this.
I do remember when I joined FB in 2013, how surprised I was that most of the company didn't care about ads/making money (apart from the sales org). That ship has clearly sailed.
I disagree that they're on track to make it. Their platform, Quest VR, has sold around 20 million headsets. Any company would be over the moon but we're talking Facebook here. They need way more users than that, which can only be achieved with explosive growth.
So maybe they're growing fast? Nope. Their better selling product, at 14 million of those 20 million is the Quest 2 which has been discontinued for 9 months. Doesn't sound like explosive growth to me when your best selling product is not your current product.
The quest 2 was considerably cheaper, I believe it sold at a loss initially, and most of its sales lifetime was during a pandemic. It's hard to directly compare the two.
1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.
2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.
1a. Arbitrary apps can listen on ports without permissions.
1b. Arbitrary apps can access local ports without permissions.
I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons. Random websites shouldn't be able to access services running on localhost.
uBlock Origin ships with a "Block Outsider Intrusion into LAN" filter that I believe is enabled by default. I don't know if it works on the neutered Chrome version, but on Firefox it works so well I've had to add a few whitelists for cases where I do want access to LAN or localhost.
AND, whenever you suggest here that engineers should consider the morals or ethics of what they are being asked to work on, you often get lots of push back in the comments. "I just want to work on cool tech! It's my company's problem what they use it for!" and "Hey, I'm just a code monkey, don't blame me! If my manager tells me to build the Torment Nexus, I build the Torment Nexus!"
>> Author describes seemingly abhorrently unethical and immoral practices they were completely ignorant of, occurring right in front of them that they were a key participant in.
>> Accepted a massive salary to be ignorant.
>> Shocked as all fuck about ethics and implications.
This is one of the main reasons I’m for licensing software engineers like civil engineers are. You know that without a license, you can’t work in the civilized world. So when your license requires you to not build the torment nexus, and some manager comes and says “build the torment nexus” then you tell them no, knowing that they can’t just fire you and hire someone else to do it. Yes, they might outsource it, but you can create regulations that say that companies that offer products in the civilized world anyways can’t offer the torment nexus as a product, and then you get a super compelling argument for preventing the torment nexus.
The plan isn’t without flaws, but nobody ever even wants to discuss, they just cut off the conversation early.
Absolutely. I’ve done so many bad things with my career. Less over time, but in the beginning I was naive and eager to please. I can’t criticize anyone without admitting I did the exact same thing. We want to stay relevant, get promoted, be the hero who keeps big projects moving, etc. Certain people in leadership see this and use us to execute on things less enthusiastic or more aware/morally grounded types won’t.
This is why I earn half as much working in science now. We will never reach unicorn status but we also won’t treat our end users and partners like pawns to exploit on our path to wealth and power. I can live with that.
Sounds like you're affected if you have either Facebook or Instagram app installed on an Android phone, you're signed into your account, and you don't have anything set up to block tracking pixels and the like (though that last part I'm not as sure of).
Getting through VPNs and incognito mode are the most egregious parts of this offense, though. I think some people are under the impression that's a way to act like you're in total privacy... but it's not. It's just an easy way to act like you're in a new browser session or coming from another location, mostly.
> I think some people are under the impression that's a way to act like you're in total privacy... but it's not.
It should be for the average person. VPN and private browsing should be enough for what most people use it for. I don’t think it’s fair to expect people to think that the browser is secretly communicating with apps on their phone, tying all behavior to their identity.
> I don’t think it’s fair to expect people to think that the browser is secretly communicating with apps on their phone, tying all behavior to their identity.
If it was possible for this to happen in the past, we have reason to believe that the technical capability to link behavior with identity still exists. What’s “unfair” about informing others about the limitations and risks of using a device online?
I mean, I think that Google (or Apple) have full visiblity to everything on my Android (or iPhone). Why wouldn't they? Just because they say they don't?
Android apps can continue running software in the background even if you dismiss them from the switcher. It's up to the OS to decide when to kill them, unless you go into the settings and press force stop.
Shouldn't a sensible CORS policy by the webserver block these access attempts?
Of course the website owner wants the tracking, but I think they should also be a guilty party here next to Facebook, even if they just bought the service.
"approved?" In a company where ads are the lifeblood and where the targeting specificity of ads determines their value, whichever engineers put this together are guaranteed to have gotten fantastic promo packets.
Readit News
Covert web-to-app tracking via localhost on Android (341 comments):
https://news.ycombinator.com/item?id=44169115
Washington Post's Privacy Tip: Stop Using Chrome, Delete Meta Apps (and Yandex) (328 comments)
https://news.ycombinator.com/item?id=44210689
Meta found 'covertly tracking' Android users through Instagram and Facebook (95 comments)
https://news.ycombinator.com/item?id=44182204
Meta pauses mobile port tracking tech on Android after researchers cry foul (28 comments)
https://news.ycombinator.com/item?id=44175940
Covert web-to-app tracking via localhost on Android (6 comments)
https://news.ycombinator.com/item?id=44169314
Covert Web-to-App Tracking via Localhost on Android (6 comments)
https://news.ycombinator.com/item?id=44169314
Meta and Yandex Spying on Your Android Web Browsing Activity
https://news.ycombinator.com/item?id=44177637
New research highlights privacy abuse involving Meta and Yandex
https://news.ycombinator.com/item?id=44171535
Meta and Yandex exfiltrating tracking data on Android via WebRTC (3 comments)
https://news.ycombinator.com/item?id=44176697
Ever since then I refused to install native versions of apps that could be used in a browser. I don't use Facebook or Instagram so I don't know if that works anymore, and I recall testing that they were intentionally crippling Facebook Messenger at one point.
Then the past decade of native apps requesting tons of permissions and users just clicking agree. Why should Facebook be able to read my Wi-Fi network or Bluetooth? Of course there is something shady going on. Beacons tracking people walking around brick and mortar stores. https://en.wikipedia.org/wiki/Facebook_Bluetooth_Beacon
Such a shame because native apps are so much more pleasant and performant to use than web apps.
They were/did. I was using Messenger Lite for a bit which was ok, but they killed that and the mobile browser mode.
I still need FB for some events and contacts, but I refuse to have the fat messenger app installed so now I end up using the damn thing in desktop mode which is ... painful.
All I seem to see in my feed these days is "suggested for you" so it's a lot less addictive than it was back in the day. Not sure why they're so determined to drive the user base away, but that does seem to be the plan.
The worst part is that a lot of native apps these days are just web views. You can't even be bother to use the native UI toolkit and you expect me to download your app? If this is just safari with extra steps then let me use safari!
Just ... let me give you money without interrupting me ... please?
If it ain't on F-Droid, I'll wait.
From the article:
This is only what's observably true of a particular app under the hood from straightforwardly jacking into it with Frida or performing any other deeper analysis.What's to say Meta/Google/OtherAnalyticsCorp/OtherMegaCorp hasn't already, on a large scale, colluded with[bought out] app developers to simply share session data out-of-band as another tentacle?
Rather, is it even reasonable to assume they all haven't been doing this all this time? (Maybe these also fall squarely under what GDPR, DSA, and DMA were supposed to mitigate? I'm not an expert here.. just my cynicism kicking in.)
I too go through fairly great pains to try to minimize unneeded apps on my device.
Same. After AT&T force obsolesced my perfectly working phone back in February 2022 (it had the bands but they simply didn't want to support it!) I kept it as a dedicated app phone. No web browsing, no stored credentials or cookies, just an app sandbox. Sending a ray of diarrhea to companies who force us to use apps instead of web. I'm looking at you, Chipotle.
every app can scan your apps and recently opened ones "for security".
same for your contacts.
whatsapp (only meta product i need to touch in our fleet) will do both at very fast intervals, and upload a contact list diff if it detect changes.
the whole issue here was that meta bypassed the user matching on the web without paying google "cookie matching" price
I genuinely think that should be illegal.
> The greatest evil is not now done in those sordid dens of crime that Dickens loved to paint. It is not done even in concentration camps and labour camps. In those we see its final result. But it is conceived and ordered (moved, seconded, carried, and minuted) in clean, carpeted, warmed and well-lighted offices, by quiet men with white collars and cut fingernails and smooth-shaven cheeks who do not need to raise their voices.
However, there is a conversation to be had about engineers writing code that they fully know is illegal. Imo there should be a punishment for staying complicit and not reporting it to the authorities. Like that time Volkswagen components detected when they were under test and performed differently.
Its better to blame the management and higher ups or zuck himself directly. Blame the people who finance it and profit from it, not the people who coded it. Follow the money
I remember finding this out as a very junior engineer straight out of university. I was once asked to write code to cheat at a benchmark to make my company's product look better than it actually was. I had deep misgivings about this, but as a brand new junior developer, I was very hesitant to speak up. Eventually I told my manager I didn't feel comfortable with the ethics of working on that project, and he was totally cool with it! He said "No problem, we'll take that task out of your queue and give it to "Jim", he'll do it instead." Jim was thrilled and wrote the benchmarking cheating code himself.
There's always someone willing to do it.
(also, is it an exciting technical challenge? It’s a POST request to localhost!)
That said, I think fining the company seems pretty plausible. They won't, but it'd be nice if they did.
Deleted Comment
Hitmen can't just say "but I keep getting hired to kill people."
Once I worked at a place that actually made a calculation of how much an outage costed to the company and gave it to the engineers who resolved the issue to "think" about how bad they were.
What you propose is equally confused and wrong
Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
At this point, I think the race for Zuckerberg is, can Meta survive long enough for the next platform shift (AR or VR) where they will own one of the major platforms and won't need to abide by any reasonable rules before their "internet tentacles" that sustain the Ad Machine are cut off.
My bet is they will make it. Though I don't wish it, they're on track.
As far as replacing your smartphone with AR glasses that remains to be seen
They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
Unlike this case, it required users to jump through a number of hoops/scary iOS warnings. Many still did, for a gift card or less.
Incorrect. An Israeli startup (Onavo) had pivoted into selling data acquired from their VPN got acquired by Facebook. Importantly, they used statistics to estimate population prevalence which is how FB knew that Whatsapp (specifically, this was all post IG acquisition) was super popular outside the US.
> They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
This was (sadly) an entirely different scandal.
Honestly, I generally defend Meta/targeted advertising in these threads, but this one is such incredible, total, absolute bullshit that I can't even begin to comprehend how one could defend this.
I do remember when I joined FB in 2013, how surprised I was that most of the company didn't care about ads/making money (apart from the sales org). That ship has clearly sailed.
They have a history because the punishment has never dissuaded anyone from being repeat offender.
Deleted Comment
So maybe they're growing fast? Nope. Their better selling product, at 14 million of those 20 million is the Quest 2 which has been discontinued for 9 months. Doesn't sound like explosive growth to me when your best selling product is not your current product.
1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.
2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.
1a. Arbitrary apps can listen on ports without permissions.
1b. Arbitrary apps can access local ports without permissions.
I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons. Random websites shouldn't be able to access services running on localhost.
Let me introduce you to https://www.qubes-os.org/.
But even with those technical issues present, Facebook shouldn't have done this.
Just to clarify: you need `android.permission.INTERNET`. This is a default permission (granted by default at install time with no user interaction).
GrapheneOS allows this permission to be disabled.
As far as I'm aware, you can't lock this down to 'allow only intra-app communications via localhost', please let me know if I'm mistaken.
> Why I left FB,GOOG,Whatever
>> Author describes seemingly abhorrently unethical and immoral practices they were completely ignorant of, occurring right in front of them that they were a key participant in.
>> Accepted a massive salary to be ignorant.
>> Shocked as all fuck about ethics and implications.
>> Returned 0 money, cashed out.
>> 100% ethical now.
The plan isn’t without flaws, but nobody ever even wants to discuss, they just cut off the conversation early.
This is why I earn half as much working in science now. We will never reach unicorn status but we also won’t treat our end users and partners like pawns to exploit on our path to wealth and power. I can live with that.
Getting through VPNs and incognito mode are the most egregious parts of this offense, though. I think some people are under the impression that's a way to act like you're in total privacy... but it's not. It's just an easy way to act like you're in a new browser session or coming from another location, mostly.
It should be for the average person. VPN and private browsing should be enough for what most people use it for. I don’t think it’s fair to expect people to think that the browser is secretly communicating with apps on their phone, tying all behavior to their identity.
If it was possible for this to happen in the past, we have reason to believe that the technical capability to link behavior with identity still exists. What’s “unfair” about informing others about the limitations and risks of using a device online?
Some people hate apps running in the background and they terminate all apps as soon as they are done using them.
Crazy to deploy a hack like this at the scale of Meta.
Of course the website owner wants the tracking, but I think they should also be a guilty party here next to Facebook, even if they just bought the service.