1. Companies have no soul. They are, by design, just chasing revenue. Everything else is just a risk to be factored.
2. There are real humans at these companies who choose to take part in the business and design and engineering, etc.
I don’t think these humans have no soul (though some won’t), and I don’t think they’re stupid (though some are). I think it’s just very, very easy to create a system of people collectively doing evil things where no one person carries the burden of evil individually enough to really feel sick enough with what they’re contributing to.
Which is why I don't think punishing just the company itself is enough. The engineers, designers, PM's that implemented this should also receive punishment, sufficient enough to make anyone thinking of participating in the implementation of such systems has reason enough to feel sick, if only for their own skin. Make it clear that participating in such things carries the risk of losing your career, a lot of money, and potentially even your freedom.
Now they may argue that they didn't know - but you can frame the law such that's it's their duty to know and ensure this sort of stuff doesn't happen.
cf Sarbanes-Oxley
My feeling is that corporate officers should bear the burden that the corporation as a person currently bears. I can only imagine how much better things would be in past experiences if the C-levels felt a personal need to actually know how the sausage is being made.
Some of the responsibility lies with us, and we need to not pretend that's not the case.
If you, as an employee did this - maybe you'd add a few dollars to your stock options over time. If your Zuck - that's potentially billions.
And in terms of downside - if you are Zuck and stop it in the company - there is no comeback - if you are an engineer blowing the whistle - you may find it hard to work in the industry ever again - and only one of those two actually needs to work.
There are specific crimes, and there are specific people who planned this crimes, specific peoples who ordered them to be carried out, and who carried them out. And these people should be held accountable for these crimes. Even if they work 60 hours a week for minimum wage and would have been fired if they hadn't committed them. They should have quit in such cases, not committed crimes.
And on the other hand, if your employees, without your knowledge, somehow decided that the only way they could reach their targets was to commit a crime, why should you be held responsible for that? Even if you have 20 megayachts and your employees work 60 hours a week for minimum wage.
Thats where "known or should have known" becomes relevant. It's your company, it's your responsiblity to know what they are doing.
There is a substitution of one real crime, committed by real people, for a crime "they didn’t know, but should have" against other people, for which there is no real responsibility, while the real criminals are declared to be simply "cogs" in the system.
As a result, no one is held accountable for a crime for which dozens of people who directly committed it could go to prison for many years, because the person held responsible is a high-ranking manager who "should have known, but did not know," who himself issues "a severe reprimand" or assigns a tiny fine for it.
Thus, the entire system is drowning in crimes, the commission of crimes becomes a REQUIREMENT of the system and the commission of crimes becomes a guarantee of the loyalty to the system.
That would seem to be a recipe for more crime, not less.
Note i don't think anyone is saying those directly involved should get off scot-free, just that those really responsible shouldn't.
The obligation to commit crimes in such systems arises precisely from the ability of the ring leader to take responsibility from the criminal onto himself to a significantly lesser extent, citing the fact that he did not commit the crime, but simply did not take something into account or did not know something.
> Note i don't think anyone is saying those directly involved should get off scot-free
But this is exactly what the existence of such a system leads to: the directly involved criminals escape responsibility, or their punishment is significantly reduced because most of the responsibility falls on the system and no one in particular bears full responsibility.
And if the performer bears full responsibility, there will be much fewer crimes, because in this case the performer will already know that he will bear full responsibility, that other employees, fearing full responsibility, will not cover for him, that his boss, who puts him in conditions requiring the commission of a crime, will not be able to relieve him of this responsibility by spreading it on himself or shifting it upwards with blurring. In such a system, the main beneficiary will no longer be able to demand that workers commit crimes - because no one wants to risk to become the scapegoat with no additional profits.
I'm saying leaders bear more responsibility than foot soldiers - I'm not saying foot soldiers don't also have a responsibility - but 'I didn't physically do it' isn't a defence for those that gave the orders/ created a culture where it happened.
Sure, Zuck might not really known and that is a mitigation. But I think the interesting question here is what does everybody ( in the commpany ) think would have happened if he did find out? Would it have been a 'well done, that's clever/cool nod and a wink', or would they expected to have lost their jobs?
It's easy to frame laws to make it the leaders responsibility - it's their job to know - their job to act if they find out - their job to put systems and procedures in place to ensure illegal activity isn't happening on their watch.
And back to the billionaires/foot soldiers thing. Motive also matters - if people did it because of fear of losing their jobs that's a mitigating factor - if people materially benefited to the tune of millions - that's another factor. If you steal - the punishment scales with the value of the theft - same principal - if you want the law to be a deterrent then the punishment has to fit the crime. A fine of 1 million isn't going to stop Zuck doing it again is it?
That's part of the crime. Of course, the one who gave the order must bear responsibility. It's just that if the subordinate also bears full responsibility, there is a high probability that there will be no order to commit a crime, because everyone will expect that there will be no criminal ready to commit the crime.
>what does everybody ( in the commpany ) think would have happened if he did find out?
Why is this important? A crime has been committed. The people who committed it must be held accountable. The lack of responsibility of the direct criminals allows for the existence of a system where the commission of crimes is not punished, employees cover up each other's crimes, and those who refuse to commit them are fired. Not the other way around.
>It's easy to frame laws to make it the leaders responsibility
Where are the examples?
>it's their job to know
Yes, and this is exactly the substitution that occurs: instead of responsibility for a real crime, there is responsibility for a poorly performed job. A great system for a leader to use to get his subordinates to commit crimes for his own benefit.
>if people did it because of fear of losing their jobs
Then they should bear more serious responsibility than those who committed the same crime for personal profit.
Because this is already organized crime, more dangerous for society and more protected from law enforcement agencies. Therefore, the direct perpetrator of the crime, the one who gave the order to commit the crime and those who tried to cover up the criminals - should be considered an organized criminal group, with all the consequences.
And Zuc, if he did not order the crimes to be committed - it would be great for him to get a brand new mega-yacht. So that the next time he starts winking strangely or giving out KPIs that are easiest to achieve by committing crimes - people would think with their own heads, and not start engaging in organized criminal activities.
Frankly, that's what the money's for.
I think anyone would agree that there’s a level of flagrantly where individuals should feel culpability and make the right choices (“write software to prescribe poison to groups we don’t like”).
But something like this? Two apps establishing a comms channel? How many millions of times does this get done per year with no ill intent or effect? Is every engineer supposed to demand to know l of the use cases, and cross reference to other projects they’re not working on?
At some point it’s only fair to say that individuals should exercise their conscience when they have enough information, but it is not incumbent on every engineer to demand justification for every project. That’s where the decision makers who do have the time, resources, and chatter to know better should be taking at least legal responsibility.
I agree that the junior engineer implementing a localhost listener on Android might not understand what it is going to be used for and might not even think to ask. But somewhere, a senior engineer or PM or manager knows, and yes as you say that's the point where responsibility can be assigned, and increasingly up the line from there.
Nobody sits down with a mid-level developer and says “we need your native app to receive webrtc connections that will be used to send app-layer telemetry that circumvents privacy protections”. The requirement is just to receive events and log them. And odds are there were all sorts of harmless events as well.
At the level where people had a holistic view of the system and intent, sure, throw them in jail. I’d guess that’s about 1% of the people who designed, implemented, tested, documented this code.
GmbH - Society with limited liability (german, translated)
This liability shield is by design.
I disagree - companies are set up/run by people, and those people define company culture/ company culture reflects those people.
Not all companies, even big ones, are the same.
To make that concrete - if Mark Zuckerberg found out about the above activity and was appalled and sacked everyone involved that would send out a very strong signal.
Note this particular method can't be a rogue one man job - it requires coordination across multiple parts of the Meta stack - senior people had to know - which would point to a rotten culture at Meta emanating from the top.
So the problem here is to transform a moral incentive into a financial one. A strong outside regulator who will stand its ground can do this, by imposing a meaningful financial penalty to punish the legal/moral transgression. This is why regulations and regulators with teeth are vital in a capitalist system.
I'm not holding my breath here. Regulatory capture is a thing. OTOH, Trump's undiplomatic approach to the EU may wind up costing Meta. We'll see.
Not in my experience. Even investors are people too ( or the investment companies reflect the values of the people running it ).
Sure there are people who believe the only role of a company is to make money ( eg Milton Friedman ). However that's an opinion - not a fact.
Other people have different views and run their companies, or place their investments, accordingly.
Even if you believe all that matters is the bottom line - you still might take the view that doing reputational damaging stuff like this is bad for the long term bottom line.
That's not to say that I don't agree with you that companies will face pressure over the bottom line, and outside regulation is absolutely important. However you should realise that part of running a large public company is aligning your investors to how you want to operate. If you want to take a long term ethical stand then you attract those type of investors and try and get rid of the short term money men.
Like, attracts like.
Why do you separate regulators from describing incentive system? The incentive system is also woven into them, and if anything, the incentives for regulators go in a much more sinister direction than for any capitalist company.
Profit-seeking companies are forced to satisfy customers that have their economic freedom. But what about regulators? Their primary incentive is to remain in a position of power, their primary tool for achieving their goals is forcing.
The economic freedom of all agents is a powerful disincentive. And even with it, we see abuses by capitalist companies. But what about regulators, whose disincentives are much weaker, and whose main tool, moreover, allows them to destroy even this weak disincentives? Fixing capitalism's incentives with regulators is like curing a cold with cancer.
We know from another case that the opposite culture is true: when told to break the law and use copyrighted material, the engineers feel uneasy - they were not stupid and understood what they were going to do, and for a similar-in-nature-but-a-few-orders-of-magnitude-smaller things Aaron Schwarz was facing prison time. So they expressed their concerns upwards but they were told to proceed anyway.
People made that decision.
People are human beings, and we are all prone to bias and bribery nwhen big sums of cash are dangled in front of us.
And yes, the leaders of a company/protest group/church might have more influence on the moral choices of it's members than the rank and file than others - but they are also people too.
A company isn't magical with an existence outside the people that define the systems, processes, and perform the work.
Sure if you are flipping burgers in famous burger chain you are following very clearly defined rules as part of a bigger system - but a person designed that system - intentionally - and people manage and maintain it.
amongst other things...
Some companies do have soul, and some pockets within big companies do. Patagonia, of course but even some big companies like Unilever are surprisingly soulful. They’re the exception maybe, but it’s not like companies have to be amoral.
In tech, there used to be a ton of borderline hippy companies, including Apple and Google. There are probably smaller ones now, but growth and pressure and wealth does seem to squeeze the soul out of places.
I suppose since diluting accountability aligns well with making more money by allowing shadier activities it naturally happens "by accident", but I also think it's quite deliberate in many cases.
I think the key aspect of a company with “soul” is humans directing the company rather than the company directing the humans.
I think the biggest inflection point where this flips is when companies “pivot”.
The human founders of a company should have a well-defined philosophical Vision of what it is they are building and who it is for. If this doesn’t work out, the business should be terminated.
It is the zombie husks of corporate organizations that have been repurposed to other ends by finance that are dangerous.
For some its evil, for others its an interesting itch to scratch.
They're sellouts and traitors.
Then there are people who will take to pondering what it means to be a sellout in a disingenuous manner. They act like it takes a haughty philosophy club to stroke their beards, reinvent paid labor from first principals and through motivated reasoning discovered "sellout" isn't that all that bad. And it turns out everyone sells out one way or another, so it's a wash what line of work you go into anyway.
Now those are the people who have no souls.
@dang maybe add a $ to the 32B? I see B so often with AI Models that I think the currency symbol would be useful in this link title
This was 15+ years ago now but Verizon (and others?) used Flash (because browsers still shipped with support for that in the 2000s) to create an undeletable cookie. This was settled for low 7 figures.
Privacy legislation has advanced a lot since then and the EU doesn't play around with GDPR violations, particularly when it's so egregious. I don't expect a $32B fine or settlement but it won't surprise me if this costs Meta $1B+.
[1]: https://www.propublica.org/article/verizon-to-pay-1.35-milli...
Getting through VPNs and incognito mode are the most egregious parts of this offense, though. I think some people are under the impression that's a way to act like you're in total privacy... but it's not. It's just an easy way to act like you're in a new browser session or coming from another location, mostly.
It should be for the average person. VPN and private browsing should be enough for what most people use it for. I don’t think it’s fair to expect people to think that the browser is secretly communicating with apps on their phone, tying all behavior to their identity.
If it was possible for this to happen in the past, we have reason to believe that the technical capability to link behavior with identity still exists. What’s “unfair” about informing others about the limitations and risks of using a device online?
Some people hate apps running in the background and they terminate all apps as soon as they are done using them.
The native Instagram and meta apps start a server listening on predefined ports when you launch said apps, they eventually run on the background as well. When you are on your browser, whether in private more, not logged, refused or disabled cookies, or anything else that might make you feel like you are not being explicitly tracked, the browser will connect to the locally running servers through webrtc and send all tracking data to said servers from the browser.
The android sandboxing thing is basically about how Android isolates each app and should only allow communication through android intents that inform the user of such inter app communication, such as sharing photos and the like. In this case, the browser is communicating with Instagram and Facebook apps without letting the user know.
The legal infregement here is that this happens even when you refuse to be tracked, which is a violation of GDPR and another law mentioned in the article.
The 32B figure is a theoretical maximum (but they also mentioned 100B+ in the article, which confuses me).
In practical terms this is a privacy leak a couple bits more informative but slightly less robust than "these requests are coming from the same IP address."
1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.
2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.
1a. Arbitrary apps can listen on ports without permissions.
1b. Arbitrary apps can access local ports without permissions.
I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons. Random websites shouldn't be able to access services running on localhost.
Let me introduce you to https://www.qubes-os.org/.
But even with those technical issues present, Facebook shouldn't have done this.
Just to clarify: you need `android.permission.INTERNET`. This is a default permission (granted by default at install time with no user interaction).
GrapheneOS allows this permission to be disabled.
As far as I'm aware, you can't lock this down to 'allow only intra-app communications via localhost', please let me know if I'm mistaken.
Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
At this point, I think the race for Zuckerberg is, can Meta survive long enough for the next platform shift (AR or VR) where they will own one of the major platforms and won't need to abide by any reasonable rules before their "internet tentacles" that sustain the Ad Machine are cut off.
My bet is they will make it. Though I don't wish it, they're on track.
They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
Unlike this case, it required users to jump through a number of hoops/scary iOS warnings. Many still did, for a gift card or less.
Incorrect. An Israeli startup (Onavo) had pivoted into selling data acquired from their VPN got acquired by Facebook. Importantly, they used statistics to estimate population prevalence which is how FB knew that Whatsapp (specifically, this was all post IG acquisition) was super popular outside the US.
> They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
This was (sadly) an entirely different scandal.
Honestly, I generally defend Meta/targeted advertising in these threads, but this one is such incredible, total, absolute bullshit that I can't even begin to comprehend how one could defend this.
I do remember when I joined FB in 2013, how surprised I was that most of the company didn't care about ads/making money (apart from the sales org). That ship has clearly sailed.
These kinds of things now point me in a direction where I consider advertising alone to be immoral and want it banned. I should have to request information when I want it, rather than being exposed to it at all times on every available surface.
There are only three ways this can go: 1) more frequent and more spookily relevant ads, increasing the number of people who feel that ads should be illegal because of the law breaking required to make it happen. 2) ads don’t change and everyone quickly learns to ignore them. 3) ads go away, replaced by an easy to use marketing information delivery system where only adults can request information unsupervised.
Meta do #1 because #2 and #3 mean the capitalist line doesn’t go up and the end of Meta, respectively. Meta view both of those as the same thing: the end of Meta.
“What about all the businesses which need advertising to survive?”
If they need advertising to survive they’ve been on borrowed time long enough already.
Advertisements encourage the shit Meta is doing. What kinds of similar things are they doing that we haven’t discovered, yet?
I (personally) think that's going too far. Targeted advertising has been really, really good for small businesses, and given that local newspapers are basically dead and TV/radio are expensive, these business kinda have to use Meta/Google et al.
And that's fine (IMO obviously). The actual problem here is the insatiable drive for growth from public companies/the markets, coupled with wide-scale equity ownership within the companies concerned leads to people doing mental stuff like the OP to drive those numbers up.
A bunch of this is fixable by massive, massive fines (on the part of the EU). The better solution would be for the US to introduce GDPR/DMA like regulation, as US based companies are more likely to follow their home countries laws, but that's not gonna happen any time soon.
The structural problems are harder to resolve, maybe lengthen vesting schedules and/or move back towards dividends to encourage longer-term thinking and approaches.
Coke will be fine if they stop buying TV spots (for a while, at least) but I'm pretty sure Linear/Datadog etc wouldn't be the size they are now without advertising.
> The main reason businesses need to rely on advertising to reach people is because people are already being bombarded by competitors.
Fundamentally, advertising is a way to tell potential customers you exist. Most people don't seek out new products, how do you think small businesses would grow in a world with no advertising?
The ADD incidence rate being 10x for adults since 2005 (not to even mention kids), we'd all appreciate relevance to what we're exploring/thinking about/learning, rather than the genuine nuisance of nagging for something out of context because we're tracked all around the web.
So maybe they're growing fast? Nope. Their better selling product, at 14 million of those 20 million is the Quest 2 which has been discontinued for 9 months. Doesn't sound like explosive growth to me when your best selling product is not your current product.
As far as replacing your smartphone with AR glasses that remains to be seen
We will just have an AI that will do everything, we just ask. "Book a flight, order a pizza and reply to my emails" boom, done.
They have a history because the punishment has never dissuaded anyone from being repeat offender.
> You’re not affected if (and only if) . . . > You browse on desktop computers or use iOS (iPhones)
At the very least they should step back and allow companies to enforce safeguards because they clearly lack the understanding or foresight to do so effectively.
The simple way for the EU to beat Meta is to stop being so cheap: break the WhatsApp dependency by actually paying properly for something that has a decent UX and doesn't track you. If you aren't willing to do this you will be exploited over and over again. TANSTAAFL
On https://localmess.github.io/, they think that this is technically possible on iOS too, and the main reason it wasn't done there is due to restrictions on apps running in the background.
This is nothing new that has been opened up because of those regulations.
...
>You always used the Brave browser or the DuckDuckGo search engine on mobile
How does choice of search engine protect from this?
I don’t use android or either of those browsers but my guess is that either block the tracking pixel from loading in the first place or they’re more locked down on what they allow websites to reach out to (aka no Localhost access).
>You’re not affected if (and only if) ...
>You always used the Brave browser or the DuckDuckGo search engine on mobile
Covert web-to-app tracking via localhost on Android (341 comments):
Washington Post's Privacy Tip: Stop Using Chrome, Delete Meta Apps (and Yandex) (328 comments)
https://news.ycombinator.com/item?id=44210689
Meta found 'covertly tracking' Android users through Instagram and Facebook (95 comments)
https://news.ycombinator.com/item?id=44182204
Meta pauses mobile port tracking tech on Android after researchers cry foul (28 comments)
https://news.ycombinator.com/item?id=44175940
Covert web-to-app tracking via localhost on Android (6 comments)
https://news.ycombinator.com/item?id=44169314
Covert Web-to-App Tracking via Localhost on Android (6 comments)
https://news.ycombinator.com/item?id=44169314
Meta and Yandex Spying on Your Android Web Browsing Activity
https://news.ycombinator.com/item?id=44177637
New research highlights privacy abuse involving Meta and Yandex
https://news.ycombinator.com/item?id=44171535
Meta and Yandex exfiltrating tracking data on Android via WebRTC (3 comments)
EDIT: Ok probably because it basically is a repost. I just haven't seen it 6 days ago.
I have seen that if a company is called out by name, in an inflammatory manner, the posts tend to drop out quickly. Sometimes, they come back.
Conspiracy theorists say that only happens with YC-backed companies, but that may be selection bias. I have seen stories that call out a number of companies, disappear quickly.
It's hard to say if that's OK or not. I think some of these stories are really nothing more than "hit pieces," but some of them are really on the money.
Why is this very news is not in the HN front page for considerable amount of time is beyond me.
It has the right recipe for top HN post namely users deception, sandbox bypass, privacy or lack thereof, web browser, Meta, etc.
What's the point of being Google or Apple except for precisely control of such central services?...
♪ Central Services, we do the work, you do the pleasure... ♪
"Have you considered your ducts?"
...And it just so happens that all the news you see is from the device and subject to this surveillance used to colonize your mind... Sounds democratic!
The old Politburo could only dream of such tools for maintenance of a compliant, obedient proletariat.
And with Central Services new "AI" you can get a brain implant to ensure your perfect conformity and access to the best paying jobs in the world, yours and your family's future will be secure. Be sure to invest in these securities, shop here, entertain and vacation there— leave the driving to us! Do it your way.
"A new life awaits you in the Offworld Colonies. A chance to begin again in a golden land of opportunity and adventure. So c'mon America..."
"...Every leap of civilization was built off the back of a disposable work force..."
Crazy to deploy a hack like this at the scale of Meta.
Of course the website owner wants the tracking, but I think they should also be a guilty party here next to Facebook, even if they just bought the service.
In fact, one time there were users on an ad network I built who were breaking rules. I’d track them and try to figure out where they came from and who they actually are, only for them to drop out and open a new account. I’d report to my CEO about this, ask for advice, generally discuss strategies to prevent this kind of usage of the network. He seemed very concerned. But sure enough, eventually I figured out it was actually him all along. He was making tens of thousands of dollars in revenue per month doing literally the most shady stuff on the network. He was using my naivety to keep himself in the loop on internal compliance and stay a step ahead of me.
I’ve worked with several people like this. They love the tech industry. I had to finally admit to myself that I worked with bad people and did bad things to develop the awareness and courage to start saying no and do something else.
Once I was gone, he did the same thing with a younger developer who was eager to break into the industry. I actually work with him now, nearly 15 years later.
> Why I left FB,GOOG,Whatever
>> Author describes seemingly abhorrently unethical and immoral practices they were completely ignorant of, occurring right in front of them that they were a key participant in.
>> Accepted a massive salary to be ignorant.
>> Shocked as all fuck about ethics and implications.
>> Returned 0 money, cashed out.
>> 100% ethical now.
The plan isn’t without flaws, but nobody ever even wants to discuss, they just cut off the conversation early.
Licensing would raise your costs and restrict your choices, while having absolutely no effect on issues like what's being discussed here. You would just get a more expensive Torment Nexus that may or may not be slightly more secure.
This is why I earn half as much working in science now. We will never reach unicorn status but we also won’t treat our end users and partners like pawns to exploit on our path to wealth and power. I can live with that.
Absolutely not. The law is still the law. The fact that Meta is able to break the law via technical means doesn’t mean victims deserve to be victimized.
Just because someone is able to pick your lock at night doesn’t mean you deserve to be burglarized.
which is it? you contradict yourself in a single sentence.
And the bar is high for the average person, who isn't much tech savvy at all.
People: "Oh there is a poisonous substance in the water. Many people harmed" Your answer: "Yeah, why don't you have a degree in water safety, in the first place plebs? I take samples every week."
GDPR doesn't work like your imaginary all-expert world. Facebook should and hopefully be fined to nonexistence.
Ever since then I refused to install native versions of apps that could be used in a browser. I don't use Facebook or Instagram so I don't know if that works anymore, and I recall testing that they were intentionally crippling Facebook Messenger at one point.
Then the past decade of native apps requesting tons of permissions and users just clicking agree. Why should Facebook be able to read my Wi-Fi network or Bluetooth? Of course there is something shady going on. Beacons tracking people walking around brick and mortar stores. https://en.wikipedia.org/wiki/Facebook_Bluetooth_Beacon
Such a shame because native apps are so much more pleasant and performant to use than web apps.
They were/did. I was using Messenger Lite for a bit which was ok, but they killed that and the mobile browser mode.
I still need FB for some events and contacts, but I refuse to have the fat messenger app installed so now I end up using the damn thing in desktop mode which is ... painful.
All I seem to see in my feed these days is "suggested for you" so it's a lot less addictive than it was back in the day. Not sure why they're so determined to drive the user base away, but that does seem to be the plan.
If it ain't on F-Droid, I'll wait.
From the article:
You’re not affected if (and only if)
You access Facebook and Instagram via the web, without having the apps installed on your phone
What's to say Meta/Google/OtherAnalyticsCorp/OtherMegaCorp hasn't already, on a large scale, colluded with[bought out] app developers to simply share session data out-of-band as another tentacle?
Rather, is it even reasonable to assume they all haven't been doing this all this time? (Maybe these also fall squarely under what GDPR, DSA, and DMA were supposed to mitigate? I'm not an expert here.. just my cynicism kicking in.)
I too go through fairly great pains to try to minimize unneeded apps on my device.
The worst part is that a lot of native apps these days are just web views. You can't even be bother to use the native UI toolkit and you expect me to download your app? If this is just safari with extra steps then let me use safari!
Just ... let me give you money without interrupting me ... please?
Exhibit A: parking apps. Why do I need an app? And why do I need an account? What if I just... don't pay? How many people are doing that? Probably a lot.
So let's spin up a contract with a local towing company and burn all this money for non-compliant customers instead of just getting our heads out of our asses and streamlining the process. I bet you if you just put a tap-to-pay meter then 99% of the non-compliance will just - poof - disappear.
every app can scan your apps and recently opened ones "for security".
same for your contacts.
whatsapp (only meta product i need to touch in our fleet) will do both at very fast intervals, and upload a contact list diff if it detect changes.
the whole issue here was that meta bypassed the user matching on the web without paying google "cookie matching" price
If an app does everything it "legally" could, it would have become malware long before. The principle of that argument is quite similar to that of poor mobile ecosystems we sadly are subjected to. Of course other factors were as important to create these "security" models.
I also think that this plainly isn't or wasn't legal in any jurisdiction because Twitter lacked informed consent if this particular case ever got in front of a judge.
That Twitter isn't the only guilty party is true, like we know from the article.
I genuinely think that should be illegal.
I currently store all my contacts in an app that doesn't expose them through the contacts API for this reason.
Same. After AT&T force obsolesced my perfectly working phone back in February 2022 (it had the bands but they simply didn't want to support it!) I kept it as a dedicated app phone. No web browsing, no stored credentials or cookies, just an app sandbox. Sending a ray of diarrhea to companies who force us to use apps instead of web. I'm looking at you, Chipotle.
> Android has many flaws, but in the relevant part here, it’s specifically designed to prevent apps from doing this — from listening to local ports like localhost.
to mean that they could not do it via HTTP, and instead had to circumvent Android's privacy measures via WebRTC.
Serious question. I don't generally mind paying taxes and all that. But in this case I feel I am the person offended and I should get some kind of compensation. I'd say €1-2000 would make me feel somewhat compensated.
Personally I would like to see some execs go to prison, rather than taxing/fining a monopolistic corporation, which achieves nothing.
I guess what I am looking for is some kind of personal apology. And that could be manifested in a refund to mu bank account. As I explained above.
I don't think sending people to prison helps much.
A personal check would open the eyes for a lot of people and make them realize that this company committed a crime. Against you. And you are worth it.
I was hit by a hit-and-run while driving my car. Totally destroyed the back-end.
I personally investigated and gathered info/videos to figure out the car and plates because the police essentially said they couldn't be bothered.
After finding out the owner of the car the insurance company said that under their criteria it was no longer a hit-and-run and I'm not covered by them. The person did not have insurance.
The law here is the owner of the vehicle faces a $2000 fine, plus the $2000 fine for a vehicle being operated without insurance. I was subpoenaed as a witness (lol) to the hit and run, for which I had to take a day off work.
So, the government earned a cool $4000 for my troubles, and i was out a $3000 car and a day of work.
I've since accepted that fines are just a lazy blunt instrument that serve as nothing more than a deterrent; not a way to fix past injustices. Maybe obvious but still counter intuitive when you're the wronged party.
For me I think a personal handout would also serve as a kind of apology. I guess this is what I am after.
"We purposefully infringed your privacy by breaking the law. And made a sh*tload of money because of that violation. Here is the money back with some extra compensation. We are sorry. We promise to never do it again."
That said, I think fining the company seems pretty plausible. They won't, but it'd be nice if they did.
The look of stunned shock on the project manager’s face is something I’ll never forget.
He was apoplectic with mixed rage and incredulity.
“How dare you refuse a direct order!?” — but now picture a red face and spittle literally flying around the room.
He immediately called my supervisor and up all the way to the CEO of my consultancy.
That’s what happens when individual contributors push back. In general there are zero legal, corporate, or personal protections.
“Do as I say or consequences.” is the norm.
In this situation I was incredibly lucky that the CEO trusted my judgement and told the PM to take a hike. Even if I had been fired I would have been okay.
Most people can’t take risks like that on principle.
That’s fundamentally why enshittification happens, and why every mobile apps’ data collection dragnet would make an NSA spook blush.
Only consequences for directors and up matter. They're the ones that need to feel the fear, not the poor outsourcer struggling to put food on his family table.
I actually think many people could, and the more who do, the easier it gets
If that's a reaction to a "no" in a professional setting, imagine what he could do in personal life.
Hitmen can't just say "but I keep getting hired to kill people."
Once I worked at a place that actually made a calculation of how much an outage costed to the company and gave it to the engineers who resolved the issue to "think" about how bad they were.
What you propose is equally confused and wrong
Its better to blame the management and higher ups or zuck himself directly. Blame the people who finance it and profit from it, not the people who coded it. Follow the money
I remember finding this out as a very junior engineer straight out of university. I was once asked to write code to cheat at a benchmark to make my company's product look better than it actually was. I had deep misgivings about this, but as a brand new junior developer, I was very hesitant to speak up. Eventually I told my manager I didn't feel comfortable with the ethics of working on that project, and he was totally cool with it! He said "No problem, we'll take that task out of your queue and give it to "Jim", he'll do it instead." Jim was thrilled and wrote the benchmarking cheating code himself.
There's always someone willing to do it.
(also, is it an exciting technical challenge? It’s a POST request to localhost!)
> The greatest evil is not now done in those sordid dens of crime that Dickens loved to paint. It is not done even in concentration camps and labour camps. In those we see its final result. But it is conceived and ordered (moved, seconded, carried, and minuted) in clean, carpeted, warmed and well-lighted offices, by quiet men with white collars and cut fingernails and smooth-shaven cheeks who do not need to raise their voices.
However, there is a conversation to be had about engineers writing code that they fully know is illegal. Imo there should be a punishment for staying complicit and not reporting it to the authorities. Like that time Volkswagen components detected when they were under test and performed differently.
- How come Yandex was doing it for years without being noticed.
- Facebook must have known about this technique for years as well, why did they only enable it last year.
But, for OS that we've developed later, we kind of decided that's a problem, and applications are a vector for malware, and "trust" just isn't enough. So Android and iOS did the whole permissions thing.
Now, we've gone back and added some stuff onto desktop operating systems. Of course Linux has containers these days on desktop. Like, I'm running Firefox right now - but Firefox can only access it's runtime folders and ~/Downloads. So, if there's a zero day sandbox breach, I won't get data stolen. There's also SELinux and Apparmor and stuff and you can really jump into the deep end with this.
But, we largely view it as unnecessary because we're running open-source software from trusted repositories. We probably shouldn't view it that way.
Also not included:
https://www.courtlistener.com/docket/70448987/1/rose-v-meta-...
The wiretapping claims carry damages of $5,000 per violation.
It could be he thinks this is laughable like the ePrivacy Directive.
https://www.reuters.com/technology/metas-facebook-pay-90-mil...
https://dicellolevitt.com/case-study/facebook-agrees-to-pay-...
As relevant as ever.
I'm not going full "it's your own fault for having those apps installed" — it really isn't — but people need to learn they shouldn't trust apps made by these giant adzillas. (Which to be fair you could also argue for Android as a whole, and Chrome).
If Facebook and Instagram are "dominating the market" as the EU likes to say, maybe it's time to force allowing 3rd party frontend apps?
I do wish life were that simple. Users (including myself) get value out of natively installed apps. Until that changes, this suggestion is impractical.
> What Meta did wasn’t just a violation of GDPR. It involved bypassing built-in technical protections with the intent to extract and link data — potentially personally identifiable information (PII) — to users without their knowledge or consent.
> That is the textbook definition of unauthorized access and data exfiltration.
That seemed unnecessarily sneaky and made me appreciate the sense of righteousness which I would have, if I were a SW dev @ FB at the time, to add such a technique to a world-tier app like FB.
Perhaps sanctions on those that buy and use the data would help?
ajsnigrutin•1d ago
Definitely not even close to 32B
ceejayoz•1d ago
1.2 billion fine for an earlier incident: https://www.edpb.europa.eu/news/news/2023/12-billion-euro-fi...
ryukoposting•1d ago
gloxkiqcza•1d ago
efilife•24m ago
birn559•1d ago
It must be low enough that Meta never seriously considers to pull out of Europe.
ajsnigrutin•1d ago
Why? Threathening is one thing, actually leaving one of the largest markets is something different. Also, not much of value would be lost.
> Something that you can sensibly express as a fraction of the revenue of Meta is significant though.
Also, if the percentage is low, it just becomes the "cost of doing business" and not a fine that would actually make them rethink and not do stuff like that again.
okanat•1d ago
brookst•1d ago
disgruntledphd2•1d ago
brookst•17h ago
disgruntledphd2•15h ago
More generally, the whole point of getting absurdly large (and such to be covered by DMA etc) is precisely to extract more monopoly profits.
GDPR is different, in that one can easily imagine a low margin company getting hurt by this, but in that case they should invest in compliance, rather like these (mostly US) companies do for US laws.
account42•19h ago
brookst•17h ago
rsynnott•1d ago
Of course the concern would be that even at that rate some companies might see it as a cost of doing business.