Ever since then I refused to install native versions of apps that could be used in a browser. I don't use Facebook or Instagram so I don't know if that works anymore, and I recall testing that they were intentionally crippling Facebook Messenger at one point.
Then the past decade of native apps requesting tons of permissions and users just clicking agree. Why should Facebook be able to read my Wi-Fi network or Bluetooth? Of course there is something shady going on. Beacons tracking people walking around brick and mortar stores. https://en.wikipedia.org/wiki/Facebook_Bluetooth_Beacon
Such a shame because native apps are so much more pleasant and performant to use than web apps.
dcminter · 12h ago
> they were intentionally crippling Facebook Messenger at one point [in a browser]
They were/did. I was using Messenger Lite for a bit which was ok, but they killed that and the mobile browser mode.
I still need FB for some events and contacts, but I refuse to have the fat messenger app installed so now I end up using the damn thing in desktop mode which is ... painful.
All I seem to see in my feed these days is "suggested for you" so it's a lot less addictive than it was back in the day. Not sure why they're so determined to drive the user base away, but that does seem to be the plan.
const_cast · 11h ago
Web apps have been sabotaged so severely for years now, and it really peeves me. Half the time they bombard the UI with "use the app!!1" popups and the other half of the time they just don't work.
The worst part is that a lot of native apps these days are just web views. You can't even be bother to use the native UI toolkit and you expect me to download your app? If this is just safari with extra steps then let me use safari!
Saris · 10h ago
I like using ublock origin since I can create filters for those popups.
gausswho · 12h ago
I felt a prude at the time but eschewed native apps for browser versions and haven't regretted. Didn't benefit from notification distraction anyway. Apple and Google just didn't get their houses in order to be taken seriously.
If it ain't on F-Droid, I'll wait.
boneitis · 7h ago
There is another can of worms hidden in plain sight right here, I feel like.
From the article:
You’re not affected if (and only if)
You access Facebook and Instagram via the web, without having the apps installed on your phone
This is only what's observably true of a particular app under the hood from straightforwardly jacking into it with Frida or performing any other deeper analysis.
What's to say Meta/Google/OtherAnalyticsCorp/OtherMegaCorp hasn't already, on a large scale, colluded with[bought out] app developers to simply share session data out-of-band as another tentacle?
Rather, is it even reasonable to assume they all haven't been doing this all this time? (Maybe these also fall squarely under what GDPR, DSA, and DMA were supposed to mitigate? I'm not an expert here.. just my cynicism kicking in.)
I too go through fairly great pains to try to minimize unneeded apps on my device.
1oooqooq · 10h ago
this is still perfectly legal and allowed.
every app can scan your apps and recently opened ones "for security".
same for your contacts.
whatsapp (only meta product i need to touch in our fleet) will do both at very fast intervals, and upload a contact list diff if it detect changes.
the whole issue here was that meta bypassed the user matching on the web without paying google "cookie matching" price
raxxorraxor · 1h ago
"Legal" is missing the point by a mile and is irrelevant.
globalise83 · 12h ago
This system was designed and implemented by engineers who committed code in a source control system with their name attached, and the changes were requested by product managers in tickets in the ticketing system with their name attached. Those engineers and product managers should be personally liable for an equivalent % of their annual salary as Facebook is liable for a % of its annual revenue.
hoherd · 8h ago
Sounds like the modern version of the CS Lewis quote:
> The greatest evil is not now done in those sordid dens of crime that Dickens loved to paint. It is not done even in concentration camps and labour camps. In those we see its final result. But it is conceived and ordered (moved, seconded, carried, and minuted) in clean, carpeted, warmed and well-lighted offices, by quiet men with white collars and cut fingernails and smooth-shaven cheeks who do not need to raise their voices.
sometimes_all · 1h ago
Too true. See also the movie Conspiracy.
taormina · 12h ago
I like the idea, but I see no reason to shield the management that demanded this of the rank and file. Accountability should go all the way up the chain.
kstrauser · 12h ago
Yes, but it should include everyone involved, from top to bottom. We won't get those data theft misfeatures if engineers refused to work on them out of personal liability.
jiggawatts · 2h ago
I once bluntly refused to deploy an app to production because it was a finance system that handled billions of dollars and the personal data of a million children. The HTTPS certificates couldn’t be organised on time (don’t ask), so I simply refused to deploy it using HTTP only “just for now” (=years).
The look of stunned shock on the project manager’s face is something I’ll never forget.
He was apoplectic with mixed rage and incredulity.
“How dare you refuse a direct order!?” — but now picture a red face and spittle literally flying around the room.
He immediately called my supervisor and up all the way to the CEO of my consultancy.
That’s what happens when individual contributors push back. In general there are zero legal, corporate, or personal protections.
“Do as I say or consequences.” is the norm.
In this situation I was incredibly lucky that the CEO trusted my judgement and told the PM to take a hike. Even if I had been fired I would have been okay.
Most people can’t take risks like that on principle.
That’s fundamentally why enshittification happens, and why every mobile apps’ data collection dragnet would make an NSA spook blush.
Only consequences for directors and up matter. They're the ones that need to feel the fear, not the poor outsourcer struggling to put food on his family table.
gizzlon · 57m ago
> Most people can’t take risks like that on principle.
I actually think many people could, and the more who do, the easier it gets
throw10920 · 5h ago
This is such an incredibly bad (ignorant and/or malicious) idea in so many ways, chief of which is the incredible power asymmetry between bosses and subordinates in Facebook (and most other companies).
hoppp · 11h ago
Its unethical for sure, seems like some engineers will do anything for their salary,
but if they don't do it somebody else will and it is an exciting technical challenge.
Its better to blame the management and higher ups or zuck himself directly. Blame the people who finance it and profit from it, not the people who coded it. Follow the money
ryandrake · 10h ago
> Its unethical for sure, seems like some engineers will do anything for their salary, but if they don't do it somebody else will and it is an exciting technical challenge.
I remember finding this out as a very junior engineer straight out of university. I was once asked to write code to cheat at a benchmark to make my company's product look better than it actually was. I had deep misgivings about this, but as a brand new junior developer, I was very hesitant to speak up. Eventually I told my manager I didn't feel comfortable with the ethics of working on that project, and he was totally cool with it! He said "No problem, we'll take that task out of your queue and give it to "Jim", he'll do it instead." Jim was thrilled and wrote the benchmarking cheating code himself.
There's always someone willing to do it.
bormaj · 9h ago
In other more heavily regulated industries, whistleblowers are fortunately compensated and protected for raising such ethical issues. I wonder how far tech can go before we start to see similar government agencies and rules put in place to do the same.
afavour · 9h ago
Or blame them all. “If I don’t do it someone else will” hasn’t been accepted as an excuse historically, I don’t see a good reason to change that now.
(also, is it an exciting technical challenge? It’s a POST request to localhost!)
nightshift1 · 7h ago
and they call themselves "engineer"
aduwah · 11h ago
Yeah and let's take away the income from the PMs and Engineers and leave the people who actually call the shots unharmed.
Once I worked at a place that actually made a calculation of how much an outage costed to the company and gave it to the engineers who resolved the issue to "think" about how bad they were.
What you propose is equally confused and wrong
FuckButtons · 8h ago
Let’s be real, the people who are culpable are truly culpable are the ones who gave them the ok to build this in the first place.
ribosometronome · 12h ago
How would the EU fine American engineers who live and are paid in America?
joelfried · 12h ago
They would fine them by having a court case and saying they are guilty and owe money. Collecting on it would be awfully difficult, but you know, people do like trips to Europe.
That said, I think fining the company seems pretty plausible. They won't, but it'd be nice if they did.
okanat · 11h ago
Well some of them definitely has savings in Europe and like to travel destinations in Europe.
acatnamedjoe · 12h ago
Can't America fine them? Surely this is illegal there too?
pesus · 12h ago
There is probably little to no chance of that happening in the current political climate.
haliskerbas · 12h ago
[deleted]
jayd16 · 12h ago
How often you're asked has no bearing on the morality or criminality of the ask.
Hitmen can't just say "but I keep getting hired to kill people."
throw10920 · 5h ago
Comparing engineers writing tracking code for ads, to hitmen killing people, is an extremely dishonest and emotionally manipulative comparison. These things aren't even in the same category, and you know it.
hooverd · 11h ago
do what engineers in other fields do
frenchmajesty · 21h ago
Very impressive but not surprising coming from Meta. They have an history of doing this kind of things.
Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
At this point, I think the race for Zuckerberg is, can Meta survive long enough for the next platform shift (AR or VR) where they will own one of the major platforms and won't need to abide by any reasonable rules before their "internet tentacles" that sustain the Ad Machine are cut off.
My bet is they will make it. Though I don't wish it, they're on track.
bobthepanda · 14h ago
Companies have been trying to make AR/VR the next platform shift but I'm not super convinced that people actually want or desire this outside of a few niche games. To me it feels like it has about as much staying power as 3D glasses in movies.
MrDarcy · 14h ago
The window of opportunity already closed for AR/VR. AI dealt the death blow.
LoganDark · 14h ago
What do you mean? AI will enable better AR/VR experiences, or AI will obsolete them?
Miraste · 13h ago
Simpler than that: AI co-opted the hype machine and the buzzword gurus, and therefore the investor money.
isk517 · 12h ago
Pretty much, and it's a shame because AR has so much potential. Our company has started using a AR product in our quality control. It really doesn't take using it for long to realize the potential, being able to overlay a CAD model over the physical finished project is incredible and offers a lot of time savings. Unfortunately the most advanced AR device on the market is over 5 years old so you can really feel the software brush up against the hardware limitations.
gpderetta · 13h ago
wait for AI generated virtual worlds. On a blockchain.
hoppp · 11h ago
I cant wait for the rug pull
dvngnt_ · 13h ago
For gaming and media consumption, VR is here to stay. The meta raybans have also been successful.
As far as replacing your smartphone with AR glasses that remains to be seen
hoppp · 11h ago
I think the world is progressing away from headsets or screens.
We will just have an AI that will do everything, we just ask. "Book a flight, order a pizza and reply to my emails" boom, done.
packetlost · 13h ago
idk, I would absolutely jump on AR glasses that offered reasonable hands free interaction (even via a smartwatch or something) and didn't look awful. AI might enable that, actually, but we'll see.
joshstrange · 20h ago
> Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular.
They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
Unlike this case, it required users to jump through a number of hoops/scary iOS warnings. Many still did, for a gift card or less.
disgruntledphd2 · 19h ago
> Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
Incorrect. An Israeli startup (Onavo) had pivoted into selling data acquired from their VPN got acquired by Facebook. Importantly, they used statistics to estimate population prevalence which is how FB knew that Whatsapp (specifically, this was all post IG acquisition) was super popular outside the US.
> They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
This was (sadly) an entirely different scandal.
Honestly, I generally defend Meta/targeted advertising in these threads, but this one is such incredible, total, absolute bullshit that I can't even begin to comprehend how one could defend this.
I do remember when I joined FB in 2013, how surprised I was that most of the company didn't care about ads/making money (apart from the sales org). That ship has clearly sailed.
joshstrange · 18h ago
Ahh, I knew about the Onavo acquisition history but I had had "context crunched" it down and skipped over the time when it was on the App Store before they rebranded it as (internally) "Project Atlas" and externally Facebook Research which was distributed through enterprise distribution. Thank you for the clarification.
disgruntledphd2 · 17h ago
Yeah, they were different and happened at different times. I can kinda justify Onavo (personally I think that they could've been the Neilsen of mobile if they hadn't gotten acquired) but the whole enterprise cert thing was super, super shady.
naikrovek · 13h ago
> Honestly, I generally defend Meta/targeted advertising in these threads
These kinds of things now point me in a direction where I consider advertising alone to be immoral and want it banned. I should have to request information when I want it, rather than being exposed to it at all times on every available surface.
There are only three ways this can go: 1) more frequent and more spookily relevant ads, increasing the number of people who feel that ads should be illegal because of the law breaking required to make it happen. 2) ads don’t change and everyone quickly learns to ignore them. 3) ads go away, replaced by an easy to use marketing information delivery system where only adults can request information unsupervised.
Meta do #1 because #2 and #3 mean the capitalist line doesn’t go up and the end of Meta, respectively. Meta view both of those as the same thing: the end of Meta.
“What about all the businesses which need advertising to survive?”
If they need advertising to survive they’ve been on borrowed time long enough already.
Advertisements encourage the shit Meta is doing. What kinds of similar things are they doing that we haven’t discovered, yet?
jgalt212 · 13h ago
> They have an history of doing this kind of things.
They have a history because the punishment has never dissuaded anyone from being repeat offender.
philistine · 19h ago
I disagree that they're on track to make it. Their platform, Quest VR, has sold around 20 million headsets. Any company would be over the moon but we're talking Facebook here. They need way more users than that, which can only be achieved with explosive growth.
So maybe they're growing fast? Nope. Their better selling product, at 14 million of those 20 million is the Quest 2 which has been discontinued for 9 months. Doesn't sound like explosive growth to me when your best selling product is not your current product.
extraduder_ire · 12h ago
The quest 2 was considerably cheaper, I believe it sold at a loss initially, and most of its sales lifetime was during a pandemic. It's hard to directly compare the two.
ls-a · 14h ago
What's funny is that the engineers who implemented this are probably one of us here on HN. I don't think Zuck implemented this himself
ryandrake · 13h ago
AND, whenever you suggest here that engineers should consider the morals or ethics of what they are being asked to work on, you often get lots of push back in the comments. "I just want to work on cool tech! It's my company's problem what they use it for!" and "Hey, I'm just a code monkey, don't blame me! If my manager tells me to build the Torment Nexus, I build the Torment Nexus!"
absurdo · 12h ago
Some time later on HN front page:
> Why I left FB,GOOG,Whatever
>> Author describes seemingly abhorrently unethical and immoral practices they were completely ignorant of, occurring right in front of them that they were a key participant in.
>> Accepted a massive salary to be ignorant.
>> Shocked as all fuck about ethics and implications.
This is one of the main reasons I’m for licensing software engineers like civil engineers are. You know that without a license, you can’t work in the civilized world. So when your license requires you to not build the torment nexus, and some manager comes and says “build the torment nexus” then you tell them no, knowing that they can’t just fire you and hire someone else to do it. Yes, they might outsource it, but you can create regulations that say that companies that offer products in the civilized world anyways can’t offer the torment nexus as a product, and then you get a super compelling argument for preventing the torment nexus.
The plan isn’t without flaws, but nobody ever even wants to discuss, they just cut off the conversation early.
icedchai · 10h ago
Yes, they'll just outsource it. Plus, it could be argued that localhost tracking is not actually illegal in the jurisdiction where it was developed (debatable, I know.)
CamperBob2 · 8h ago
You don't want a licensing requirement in software engineering. That attempts to solve the problem in the wrong place entirely. The problem is that it's legal to build the Torment Nexus.
Licensing would raise your costs and restrict your choices, while having absolutely no effect on issues like what's being discussed here. You would just get a more expensive Torment Nexus that may or may not be slightly more secure.
hbossy · 14h ago
That's what they need AI for. It won't say no.
aunetx · 14h ago
The engineers did not say no either though.
hkt · 13h ago
They're hoping that in the long run AI won't say no and will be cheaper
throwawayffffas · 21h ago
So I am seeing two issues here.
1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.
2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.
WhyNotHugo · 19h ago
I'd split that first list into two:
1a. Arbitrary apps can listen on ports without permissions.
1b. Arbitrary apps can access local ports without permissions.
I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons. Random websites shouldn't be able to access services running on localhost.
throwawayffffas · 17h ago
> I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons.
For the ultra paranoid is there anything that can do this on a smartphone?
const_cast · 11h ago
I believe GrapheneOS has true sandboxing.
mzajc · 9h ago
uBlock Origin ships with a "Block Outsider Intrusion into LAN" filter that I believe is enabled by default. I don't know if it works on the neutered Chrome version, but on Firefox it works so well I've had to add a few whitelists for cases where I do want access to LAN or localhost.
advisedwang · 14h ago
Those are two technical issues, yes.
But even with those technical issues present, Facebook shouldn't have done this.
throwawayffffas · 9h ago
Oh absolutely, we are on the same page on that one. I just think it shouldn't be that easy for them to do it.
david_allison · 11h ago
> Android allows apps to open ports without permissions.
Just to clarify: you need `android.permission.INTERNET`. This is a default permission (granted by default at install time with no user interaction).
GrapheneOS allows this permission to be disabled.
As far as I'm aware, you can't lock this down to 'allow only intra-app communications via localhost', please let me know if I'm mistaken.
Sounds like you're affected if you have either Facebook or Instagram app installed on an Android phone, you're signed into your account, and you don't have anything set up to block tracking pixels and the like (though that last part I'm not as sure of).
Getting through VPNs and incognito mode are the most egregious parts of this offense, though. I think some people are under the impression that's a way to act like you're in total privacy... but it's not. It's just an easy way to act like you're in a new browser session or coming from another location, mostly.
joshstrange · 20h ago
> I think some people are under the impression that's a way to act like you're in total privacy... but it's not.
It should be for the average person. VPN and private browsing should be enough for what most people use it for. I don’t think it’s fair to expect people to think that the browser is secretly communicating with apps on their phone, tying all behavior to their identity.
SoftTalker · 12h ago
I mean, I think that Google (or Apple) have full visiblity to everything on my Android (or iPhone). Why wouldn't they? Just because they say they don't?
aspenmayer · 13h ago
> I don’t think it’s fair to expect people to think that the browser is secretly communicating with apps on their phone, tying all behavior to their identity.
If it was possible for this to happen in the past, we have reason to believe that the technical capability to link behavior with identity still exists. What’s “unfair” about informing others about the limitations and risks of using a device online?
kccqzy · 12h ago
And if you actually leave the Facebook or instagram apps running in the background.
Some people hate apps running in the background and they terminate all apps as soon as they are done using them.
extraduder_ire · 12h ago
Android apps can continue running software in the background even if you dismiss them from the switcher. It's up to the OS to decide when to kill them, unless you go into the settings and press force stop.
jasonthorsness · 18h ago
"The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging."
Crazy to deploy a hack like this at the scale of Meta.
raxxorraxor · 1h ago
Shouldn't a sensible CORS policy by the webserver block these access attempts?
Of course the website owner wants the tracking, but I think they should also be a guilty party here next to Facebook, even if they just bought the service.
jobs_throwaway · 12h ago
yeah...how does this get approved?
strix_varius · 3h ago
"approved?" In a company where ads are the lifeblood and where the targeting specificity of ads determines their value, whichever engineers put this together are guaranteed to have gotten fantastic promo packets.
jmward01 · 20h ago
I'm just confused why Meta needed to do this. Isn't fingerprinting good enough to not risk building this? All I can think is they use something like this to prove out their other tracking tech is working (this is the test set effectively). It is obvious that they really have several of these types of tracking technologies so that if one gets found out/patched they can switch it off and say 'look we stopped' all while still tracking with impunity. It just seems dumb that they would keep something this blatant in use.
SoftTalker · 12h ago
Sociopathic people are running the company. You tell them they can't do something, they take it as a challenge and try to do it without getting caught.
iamleppert · 13h ago
The real flaw here is in WebRTC. WebRTC should be disabled by default, and behind a permissions dialog at least. Still, facebook could just disable chat or some feature and claim they need WebRTC and 99% of users would opt-in to it.
tdiff · 12h ago
What I don't get:
- How come Yandex was doing it for years without being noticed.
- Facebook must have known about this technique for years as well, why did they only enable it last year.
kgwxd · 12h ago
They knew who was going to be president this year.
bloppe · 10h ago
The American president doesn't really matter in this case. The EU is where they're going to get destroyed.
afavour · 9h ago
It’s quite possible that a different administration would punish FB for this. The current president being who he is, is the reason it doesn’t matter.
hurtuvac78 · 20h ago
This story got kicked out of front page quite suddenly, not sure how/why. Lots of points and comments.
N-Krause · 20h ago
Yeah, would be interested to know why exactly
EDIT: Ok probably because it basically is a repost. I just haven't seen it 6 days ago.
ChrisMarshallNY · 13h ago
Lots of second posts stick around for a long time.
I have seen that if a company is called out by name, in an inflammatory manner, the posts tend to drop out quickly. Sometimes, they come back.
Conspiracy theorists say that only happens with YC-backed companies, but that may be selection bias. I have seen stories that call out a number of companies, disappear quickly.
It's hard to say if that's OK or not. I think some of these stories are really nothing more than "hit pieces," but some of them are really on the money.
teleforce · 18h ago
"If you're not paying for the product, you are the product" - anonymous.
Why is this very news is not in the HN front page for considerable amount of time is beyond me.
It has the right recipe for top HN post namely users deception, sandbox bypass, privacy or lack thereof, web browser, Meta, etc.
eviks · 14h ago
"If you're paying, you're still the product", so apparently other factors anon didn't mention are involved
ATechGuy · 14h ago
If it does not cost them everything, they will not stop.
ranguna · 21h ago
Tldr because this article has way too much fillers to my taste (but I'm sure there are people out there that enjoy reading that kind of thing):
The native Instagram and meta apps start a server listening on predefined ports when you launch said apps, they eventually run on the background as well. When you are on your browser, whether in private more, not logged, refused or disabled cookies, or anything else that might make you feel like you are not being explicitly tracked, the browser will connect to the locally running servers through webrtc and send all tracking data to said servers from the browser.
The android sandboxing thing is basically about how Android isolates each app and should only allow communication through android intents that inform the user of such inter app communication, such as sharing photos and the like. In this case, the browser is communicating with Instagram and Facebook apps without letting the user know.
The legal infregement here is that this happens even when you refuse to be tracked, which is a violation of GDPR and another law mentioned in the article.
The 32B figure is a theoretical maximum (but they also mentioned 100B+ in the article, which confuses me).
bsimpson · 19h ago
And according to the article, they're using RTC because Android is meant to be hardened against backdooring localhost, but Meta found a loophole that allowed it if over RTC.
naniwaduni · 20h ago
The technical details roughly boil down to "your browser lets internet sites talk to local services"; in this case if they cooperate they can identify each other, but cf. https://mrbruh.com/asusdriverhub/
In practical terms this is a privacy leak a couple bits more informative but slightly less robust than "these requests are coming from the same IP address."
theginger · 13h ago
Does anyone know how long was this going on, are we talking weeks, months or years?
sidcool · 20h ago
This is quite an interesting read. But if Android does not allow listening to local host ports, how did meta achieve it?
graftak · 14h ago
It’s allowed over RTC
throwawayffffas · 21h ago
What about the whatsapp app?
throwawayffffas · 16h ago
I did a quick check with adb, it looks like whatsapp is not opening any ports.
bsimpson · 19h ago
...and FB Messenger
OptionOfT · 13h ago
Reading though this, is it correct to say that they could've done a fetch("http://localhost:<port>/id=<id>"), but then it would show up very conspicuously in the logs, and you couldn't talk to UDP ports with it?
brazzy · 12h ago
I read this:
> Android has many flaws, but in the relevant part here, it’s specifically designed to prevent apps from doing this — from listening to local ports like localhost.
to mean that they could not do it via HTTP, and instead had to circumvent Android's privacy measures via WebRTC.
fifilura · 13h ago
If this fine is collected. Will I get the money?
Serious question. I don't generally mind paying taxes and all that. But in this case I feel I am the person offended and I should get some kind of compensation. I'd say €1-2000 would make me feel somewhat compensated.
saintfire · 5h ago
I have an anecdote about fines not being about making a victim whole.
I was hit by a hit-and-run while driving my car. Totally destroyed the back-end.
I personally investigated and gathered info/videos to figure out the car and plates because the police essentially said they couldn't be bothered.
After finding out the owner of the car the insurance company said that under their criteria it was no longer a hit-and-run and I'm not covered by them. The person did not have insurance.
The law here is the owner of the vehicle faces a $2000 fine, plus the $2000 fine for a vehicle being operated without insurance.
I was subpoenaed as a witness (lol) to the hit and run, for which I had to take a day off work.
So, the government earned a cool $4000 for my troubles, and i was out a $3000 car and a day of work.
I've since accepted that fines are just a lazy blunt instrument that serve as nothing more than a deterrent; not a way to fix past injustices. Maybe obvious but still counter intuitive when you're the wronged party.
fifilura · 5h ago
Thank you for your reply.
For me I think a personal handout would also serve as a kind of apology. I guess this is what I am after.
"We purposefully infringed your privacy by breaking the law. And made a sh*tload of money because of that violation. Here is the money back with some extra compensation. We are sorry. We promise to never do it again."
BlarfMcFlarf · 11h ago
Theoretically, fines replace tax revenue, so you get compensated by lower taxes. (Practically, spending and income are decoupled and taxes are mostly just an inflation management strategy.)
fifilura · 11h ago
I can understand it of course. But in this case I feel personally offended. I would like to see the money handed to me.
remram · 6h ago
If most people in your country use Meta apps, whether it's a tax discount spread across the population or a payout spread across the userbase doesn't make a difference.
Personally I would like to see some execs go to prison, rather than taxing/fining a monopolistic corporation, which achieves nothing.
fifilura · 4h ago
You don't have to explain taxes to me, it is a concept that is pretty easy to grasp, and - even though I understood it already - the grandparent post also explained it . And I touched the subject in my original post.
I guess what I am looking for is some kind of personal apology. And that could be manifested in a refund to mu bank account. As I explained above.
I don't think sending people to prison helps much.
A personal check would open the eyes for a lot of people and make them realize that this company committed a crime. Against you. And you are worth it.
riddley · 12h ago
I'm guessing I'll get down-voted for this, but what's to stop any browser/executable from trolling through /proc on Linux and knowing about what every process running as you is doing?
__turbobrew__ · 4h ago
Nothing, notably programs like discord do exactly this under the guise of detecting if you are playing a game or not, but I find it hard to believe that discord can resist the temptation to send back the entire process tree to their servers.
const_cast · 11h ago
Nothing really. Desktop operating systems are basically grandfathered into the modern world. They have the old timey approach to application security. That being, applications can access everything on your computer, and there's no fine-grained permission systems.
But, for OS that we've developed later, we kind of decided that's a problem, and applications are a vector for malware, and "trust" just isn't enough. So Android and iOS did the whole permissions thing.
Now, we've gone back and added some stuff onto desktop operating systems. Of course Linux has containers these days on desktop. Like, I'm running Firefox right now - but Firefox can only access it's runtime folders and ~/Downloads. So, if there's a zero day sandbox breach, I won't get data stolen. There's also SELinux and Apparmor and stuff and you can really jump into the deep end with this.
But, we largely view it as unnecessary because we're running open-source software from trusted repositories. We probably shouldn't view it that way.
hollerith · 12h ago
File mode bits prevent processes not running as root from reading much of the info in /proc.
mbreese · 12h ago
I don’t know… with a stock Linux, the information a user can get from top (via /proc, I assume), is pretty thorough. You can at least get a list of running programs, which by itself could be valuable.
hollerith · 9h ago
Good point. I withdraw my comment.
jonahbenton · 5h ago
What about Whatsapp?
12_throw_away · 10h ago
I guess we don't call it a "0-day" if it's multinational corporation doing the illegal data exfiltration ...
Waterluvian · 21h ago
Every story like this has me thinking about two things:
1. Companies have no soul. They are, by design, just chasing revenue. Everything else is just a risk to be factored.
2. There are real humans at these companies who choose to take part in the business and design and engineering, etc.
I don’t think these humans have no soul (though some won’t), and I don’t think they’re stupid (though some are). I think it’s just very, very easy to create a system of people collectively doing evil things where no one person carries the burden of evil individually enough to really feel sick enough with what they’re contributing to.
DrScientist · 20h ago
> Companies have no soul. They are, by design, just chasing revenue. Everything else is just a risk to be factored.
I disagree - companies are set up/run by people, and those people define company culture/ company culture reflects those people.
Not all companies, even big ones, are the same.
To make that concrete - if Mark Zuckerberg found out about the above activity and was appalled and sacked everyone involved that would send out a very strong signal.
Note this particular method can't be a rogue one man job - it requires coordination across multiple parts of the Meta stack - senior people had to know - which would point to a rotten culture at Meta emanating from the top.
benterix · 18h ago
> To make that concrete - if Mark Zuckerberg found out about the above activity and was appalled and sacked everyone involved that would send out a very strong signal.
We know from another case that the opposite culture is true: when told to break the law and use copyrighted material, the engineers feel uneasy - they were not stupid and understood what they were going to do, and for a similar-in-nature-but-a-few-orders-of-magnitude-smaller things Aaron Schwarz was facing prison time. So they expressed their concerns upwards but they were told to proceed anyway.
DrScientist · 18h ago
Exactly.
People made that decision.
alt227 · 14h ago
This is a grey area. Yes people are people, but when they work for corporations they are given a green light to do things that they normally morally wouldnt do. The ability to blame it on superiors, brush it under the carpet, or hide evidence amongst billions of pieces of normal data allow 'People' to make abhorrent decisions in the best interest of making the company money. These decisions may even be incentivised by bonuses etc.
People are human beings, and we are all prone to bias and bribery nwhen big sums of cash are dangled in front of us.
BlarfMcFlarf · 11h ago
When an insurance company executive decided to start screwing consumers a bit less, a board member initiated a lawsuit against him and the company. The system corrects for errors, and individual choices to do better are exactly such an error.
drweevil · 19h ago
No, companies indeed have no soul. This is all about perverse incentives. While companies are setup/run by people, the (publicly owned) company as a whole only has one incentive: profit. If any person on the inside stands against that, they won't stand long. Investors, executives whose pay depend on it, etc. will make sure of that.
So the problem here is to transform a moral incentive into a financial one. A strong outside regulator who will stand its ground can do this, by imposing a meaningful financial penalty to punish the legal/moral transgression. This is why regulations and regulators with teeth are vital in a capitalist system.
I'm not holding my breath here. Regulatory capture is a thing. OTOH, Trump's undiplomatic approach to the EU may wind up costing Meta. We'll see.
DrScientist · 19h ago
> If any person on the inside stands against that, they won't stand long. Investors, executives whose pay depend on it, etc. will make sure of that.
Not in my experience. Even investors are people too ( or the investment companies reflect the values of the people running it ).
Sure there are people who believe the only role of a company is to make money ( eg Milton Friedman ). However that's an opinion - not a fact.
Other people have different views and run their companies, or place their investments, accordingly.
Even if you believe all that matters is the bottom line - you still might take the view that doing reputational damaging stuff like this is bad for the long term bottom line.
That's not to say that I don't agree with you that companies will face pressure over the bottom line, and outside regulation is absolutely important. However you should realise that part of running a large public company is aligning your investors to how you want to operate. If you want to take a long term ethical stand then you attract those type of investors and try and get rid of the short term money men.
Like, attracts like.
Ray20 · 13h ago
>This is why regulations and regulators with teeth are vital in a capitalist system.
Why do you separate regulators from describing incentive system? The incentive system is also woven into them, and if anything, the incentives for regulators go in a much more sinister direction than for any capitalist company.
Profit-seeking companies are forced to satisfy customers that have their economic freedom. But what about regulators? Their primary incentive is to remain in a position of power, their primary tool for achieving their goals is forcing.
The economic freedom of all agents is a powerful disincentive. And even with it, we see abuses by capitalist companies. But what about regulators, whose disincentives are much weaker, and whose main tool, moreover, allows them to destroy even this weak disincentives? Fixing capitalism's incentives with regulators is like curing a cold with cancer.
lazyeye · 11h ago
Here's a senior ex-Facebook exec detailing how the company would betray users in the US to the CCP to help gain access to the Chinese market:-
> I think it’s just very, very easy to create a system of people collectively doing evil things where no one person carries the burden of evil individually enough to really feel sick enough with what they’re contributing to.
Which is why I don't think punishing just the company itself is enough. The engineers, designers, PM's that implemented this should also receive punishment, sufficient enough to make anyone thinking of participating in the implementation of such systems has reason enough to feel sick, if only for their own skin. Make it clear that participating in such things carries the risk of losing your career, a lot of money, and potentially even your freedom.
DrScientist · 20h ago
I'd argue that the person running the company in this case is responsible.
Now they may argue that they didn't know - but you can frame the law such that's it's their duty to know and ensure this sort of stuff doesn't happen.
cf Sarbanes-Oxley
brookst · 20h ago
Definitely a good way to drive talent overseas. Get the low level people to assume all of the risk with none of the upsides; ask recent grades and junior people to do E2E ethical analysis on every project in addition to their 60 hour/week job, give the truly evil people convenient, lower-level scapegoats.
Waterluvian · 20h ago
Completely agree.
My feeling is that corporate officers should bear the burden that the corporation as a person currently bears. I can only imagine how much better things would be in past experiences if the C-levels felt a personal need to actually know how the sausage is being made.
genocidicbunny · 20h ago
I can't fully agree because the way I see it, that is in a way scapegoating the company executives. Are they responsible? Probably, yes, they set the direction of the company and give the orders at the highest level. But we the engineers and designers are the ones actually implementing what is probably a fairly nebulous order at the highest levels into something concrete. They deign that there should be evil created, but we're the ones who are actually making it happen.
Some of the responsibility lies with us, and we need to not pretend that's not the case.
DrScientist · 19h ago
I'd agree at a personal/moral level there is equal responsibility. However that doesn't recognise both the power and risk/reward imbalance here.
If you, as an employee did this - maybe you'd add a few dollars to your stock options over time. If your Zuck - that's potentially billions.
And in terms of downside - if you are Zuck and stop it in the company - there is no comeback - if you are an engineer blowing the whistle - you may find it hard to work in the industry ever again - and only one of those two actually needs to work.
Ray20 · 13h ago
Sounds like a typical blurring of responsibility through bureaucracy. "If Zak is a billionaire, then he is responsible, but since he essentially did nothing wrong, then no one will be held accountable." Total nonsense.
There are specific crimes, and there are specific people who planned this crimes, specific peoples who ordered them to be carried out, and who carried them out. And these people should be held accountable for these crimes. Even if they work 60 hours a week for minimum wage and would have been fired if they hadn't committed them. They should have quit in such cases, not committed crimes.
And on the other hand, if your employees, without your knowledge, somehow decided that the only way they could reach their targets was to commit a crime, why should you be held responsible for that? Even if you have 20 megayachts and your employees work 60 hours a week for minimum wage.
SoftTalker · 12h ago
> if your employees, without your knowledge, somehow decided that the only way they could reach their targets was to commit a crime, why should you be held responsible for that?
Thats where "known or should have known" becomes relevant. It's your company, it's your responsiblity to know what they are doing.
Ray20 · 8h ago
No, what you are suggesting is a typical strategy of avoiding punishment and creating an opportunity to break the law. A very common strategy, used everywhere, especially in dictatorial and socialist regimes.
There is a substitution of one real crime, committed by real people, for a crime "they didn’t know, but should have" against other people, for which there is no real responsibility, while the real criminals are declared to be simply "cogs" in the system.
As a result, no one is held accountable for a crime for which dozens of people who directly committed it could go to prison for many years, because the person held responsible is a high-ranking manager who "should have known, but did not know," who himself issues "a severe reprimand" or assigns a tiny fine for it.
Thus, the entire system is drowning in crimes, the commission of crimes becomes a REQUIREMENT of the system and the commission of crimes becomes a guarantee of the loyalty to the system.
brookst · 18h ago
Do you also take personal responsibility for your company’s hiring practices, investment strategy, and marketing content? None of that would exist without you.
I think anyone would agree that there’s a level of flagrantly where individuals should feel culpability and make the right choices (“write software to prescribe poison to groups we don’t like”).
But something like this? Two apps establishing a comms channel? How many millions of times does this get done per year with no ill intent or effect? Is every engineer supposed to demand to know l of the use cases, and cross reference to other projects they’re not working on?
At some point it’s only fair to say that individuals should exercise their conscience when they have enough information, but it is not incumbent on every engineer to demand justification for every project. That’s where the decision makers who do have the time, resources, and chatter to know better should be taking at least legal responsibility.
genocidicbunny · 6h ago
When I was involved in the hiring pipeline, I absolutely felt a level of personal responsibility since I was directly contributing to the decision to hire or not hire an applicant. That's not to say I was willing to shoulder the entirety of the responsibility, but knowing that my decision would affect not only the applicant, but their potential future coworkers too, I did feel responsible for making sure I had as much information as I could get and that I was making the best decisions I could.
SoftTalker · 12h ago
As a software developer no I don't feel responsible for those things, because I don't have any involvement with them as part of my job. But the people who work in HR, finance, and marketing are responsible for those things.
I agree that the junior engineer implementing a localhost listener on Android might not understand what it is going to be used for and might not even think to ask. But somewhere, a senior engineer or PM or manager knows, and yes as you say that's the point where responsibility can be assigned, and increasingly up the line from there.
wapeoifjaweofji · 19h ago
> I can't fully agree because the way I see it, that is in a way scapegoating the company executives.
Frankly, that's what the money's for.
throwawayqqq11 · 20h ago
LLC - Limited liability company
GmbH - Society with limited liability (german, translated)
This liability shield is by design.
zufallsheld · 20h ago
The ceo (Geschäftsführer) is liable when they when they intentionally break the law so the limited liability is not applicable then.
genocidicbunny · 20h ago
And yet, we still have the ability to pierce the liability veil. Heck, it's even in the name, "limited liability". Not "no liability".
bnlxbnlx · 20h ago
I think (haven't actually watched it, but on my watchlist) this is exactly what the movie "The Corporation" (2003) [1] lays out.
Yes you are right. I owned the DVD twenty years ago! It blew my mind at the time...
rsync · 17h ago
I think about this a lot …
I think the key aspect of a company with “soul” is humans directing the company rather than the company directing the humans.
I think the biggest inflection point where this flips is when companies “pivot”.
The human founders of a company should have a well-defined philosophical Vision of what it is they are building and who it is for. If this doesn’t work out, the business should be terminated.
It is the zombie husks of corporate organizations that have been repurposed to other ends by finance that are dangerous.
jameskilton · 21h ago
Never underestimate the evil a human can perpetuate in the name of a paycheck.
bsenftner · 20h ago
If that paycheck comes from religion, that salaryman will willfully incorporate evil into their everyday behavior, thinking they are doing evil for gawd. We've got a civilization of short sighted idiots.
grues-dinner · 20h ago
There are multiple entire industries built around diluting and proxying accountability.
I suppose since diluting accountability aligns well with making more money by allowing shadier activities it naturally happens "by accident", but I also think it's quite deliberate in many cases.
brookst · 20h ago
I agree except perhaps an over generalization.
Some companies do have soul, and some pockets within big companies do. Patagonia, of course but even some big companies like Unilever are surprisingly soulful. They’re the exception maybe, but it’s not like companies have to be amoral.
In tech, there used to be a ton of borderline hippy companies, including Apple and Google. There are probably smaller ones now, but growth and pressure and wealth does seem to squeeze the soul out of places.
dogleash · 14h ago
> I don’t think these humans have no soul
They're sellouts and traitors.
Then there are people who will take to pondering what it means to be a sellout in a disingenuous manner. They act like it takes a haughty philosophy club to stroke their beards, reinvent paid labor from first principals and through motivated reasoning discovered "sellout" isn't that all that bad. And it turns out everyone sells out one way or another, so it's a wash what line of work you go into anyway.
Now those are the people who have no souls.
vjerancrnjak · 14h ago
Look at atrocities of animal agriculture and all difficult engineering done to scale massive slaughter.
For some its evil, for others its an interesting itch to scratch.
JimDabell · 20h ago
Is this just a particular case of diffusion of responsibility?
sudahtigabulan · 20h ago
Can this be avoided by running any Meta apps in Work Profile, and the browser in Main Profile?
lom · 21h ago
How long can Instagram keep the local port open before Android will kill it to save battery?
wewewedxfgdf · 20h ago
Makes me think of the Simpson's episode where Bart gets away with anything by saying "I'm sorry", and looking contrite.
greenchair · 21h ago
This is one of the big reasons big tech wants h1bs -> for their shady/illegal/immoral projects.
BobbyTables2 · 8h ago
They’re getting off cheaply!
1vuio0pswjnm7 · 4h ago
"Meta faces simultaneous liability under the following regulations, listed from least to most severe: GDPR, DSA, and DMA (I'm not even including the ePrivacy Directive because it's laughable)."
The craziest part is that they are not liable of anything apparently under the basically non existent American privacy laws.
pupppet · 19h ago
Once again those of us in NA have to leave it to the European government to look out for us.
icedchai · 10h ago
Yes, I just love all those cookie banners. Thanks!
ghthor · 18h ago
I mean, we can assume they are doing something bad and not install their software.
davedx · 21h ago
This is an incredibly scummy and devious implementation of user tracking. I think META shareholders should hold onto their hats with this one.
@dang maybe add a $ to the 32B? I see B so often with AI Models that I think the currency symbol would be useful in this link title
ranguna · 20h ago
It's 32B€
geerlingguy · 21h ago
Ditto on the 32B, especially since that's IIRC one of the llama model sizes!
jmyeet · 21h ago
I'm reminded of zombie cookies [1].
This was 15+ years ago now but Verizon (and others?) used Flash (because browsers still shipped with support for that in the 2000s) to create an undeletable cookie. This was settled for low 7 figures.
Privacy legislation has advanced a lot since then and the EU doesn't play around with GDPR violations, particularly when it's so egregious. I don't expect a $32B fine or settlement but it won't surprise me if this costs Meta $1B+.
My prediction, facebook gets fined something like ~12 million euros, eu bureaucrats shake their hands, facebook finds a different way to do the same thing.
1.2B is less than 1% of Meta's revenue in FY2024. Maximum fines for infractions like these should exist on a sliding scale, as some percentage of prior revenue.
gloxkiqcza · 20h ago
The point was it’s two orders of magnitude more than the original comment stated. Also 1% of yearly revenue is not insignificant.
brookst · 20h ago
Probably best indexed to profit rather than revenue. 10% of revenue would be a one quarter’s profit for meta, but more than a year’s profit for Amazon and about 9 years of profit for Otto. Higher margins / profits should mean higher fines.
disgruntledphd2 · 19h ago
The laws specify revenue, to avoid transfer pricing removing all fineable profits. Live by the sword, die by the sword I guess.
birn559 · 20h ago
Something that you can sensibly express as a fraction of the revenue of Meta is significant though.
It must be low enough that Meta never seriously considers to pull out of Europe.
ajsnigrutin · 20h ago
> It must be low enough that Meta never seriously considers to pull out of Europe.
Why? Threathening is one thing, actually leaving one of the largest markets is something different. Also, not much of value would be lost.
> Something that you can sensibly express as a fraction of the revenue of Meta is significant though.
Also, if the percentage is low, it just becomes the "cost of doing business" and not a fine that would actually make them rethink and not do stuff like that again.
okanat · 13h ago
Why do you think Zuck became a wannabe fascho out of nowhere? DMA and GDPR fines will hurt Meta a lot when they are due. Zuck is trying to leverage Trump and the war to nullify the fines.
rsynnott · 20h ago
They actually do; max GDPR penalty is 4% global revenue, say.
Of course the concern would be that even at that rate some companies might see it as a cost of doing business.
ricardbejarano · 21h ago
This is equal parts ingenious and dishonest.
Thorrez · 20h ago
>You’re not affected if (and only if)
...
>You always used the Brave browser or the DuckDuckGo search engine on mobile
How does choice of search engine protect from this?
yegg · 20h ago
I think they meant our browser.
joshstrange · 20h ago
> How does choice of search engine protect from this?
I don’t use android or either of those browsers but my guess is that either block the tracking pixel from loading in the first place or they’re more locked down on what they allow websites to reach out to (aka no Localhost access).
Thorrez · 20h ago
I'm not asking about browsers, I'm asking about a search engine. How could a search engine block a tracking pixel? You click a link in the search engine and go to a website. The search engine can't control the website after you go there, can it?
joshstrange · 20h ago
DuckDuckGo and Brave have browsers on Android
mvdtnz · 14h ago
Are you being intentionally obtuse? Read the quote again,
>You’re not affected if (and only if)
...
>You always used the Brave browser or the DuckDuckGo search engine on mobile
_wire_ · 18h ago
You've rented a device that connects to a worldwide communications network built on a principle of numerically exact message routing between every device and use it to run numerically exact programs from service providers to access services that host and consolidate the particulars of your identity within their servers rather than your device, and you are amazed that the device can persistently track everything you do with the device?
What's the point of being Google or Apple except for precisely control of such central services?...
♪ Central Services, we do the work, you do the pleasure... ♪
"Have you considered your ducts?"
...And it just so happens that all the news you see is from the device and subject to this surveillance used to colonize your mind... Sounds democratic!
The old Politburo could only dream of such tools for maintenance of a compliant, obedient proletariat.
And with Central Services new "AI" you can get a brain implant to ensure your perfect conformity and access to the best paying jobs in the world, yours and your family's future will be secure. Be sure to invest in these securities, shop here, entertain and vacation there— leave the driving to us! Do it your way.
"A new life awaits you in the Offworld Colonies. A chance to begin again in a golden land of opportunity and adventure. So c'mon America..."
"...Every leap of civilization was built off the back of a disposable work force..."
udev4096 · 14h ago
This is one of the reason you need to segregate your whole LAN. At the bare minimum, use VLANs to knock off these ruthless scanners. And obviously, this wouldn't be possible if you used a strong adblock list on whatever DNS you're running. They cannot touch the people who take proper measures. I also do not believe people who use Facebook really care about privacy. I am well aware of how mean this sounds but they fully deserve to be tracked
janalsncm · 14h ago
> they fully deserve to be tracked
Absolutely not. The law is still the law. The fact that Meta is able to break the law via technical means doesn’t mean victims deserve to be victimized.
Just because someone is able to pick your lock at night doesn’t mean you deserve to be burglarized.
udev4096 · 13h ago
Get a better lock. If you don't care enough to not get lock picked, whose fault is it? The bar to avoid this form of tracking is not high at all. It's trivial for anyone who is willing to put some serious efforts in defending their privacy
finnh · 13h ago
"trivial ... serious efforts"
which is it? you contradict yourself in a single sentence.
oceansky · 13h ago
Absolutely no lock will prevent a sufficiently motivated thief.
And the bar is high for the average person, who isn't much tech savvy at all.
comrh · 13h ago
You live in a tech bubble if you think it's trivial when most people don't even know what localhost is.
okanat · 13h ago
This is why lawmakers don't take the opinion of "experts" like you.
People: "Oh there is a poisonous substance in the water. Many people harmed"
Your answer: "Yeah, why don't you have a degree in water safety, in the first place plebs? I take samples every week."
GDPR doesn't work like your imaginary all-expert world. Facebook should and hopefully be fined to nonexistence.
fidotron · 20h ago
The same European intellegentsia that is progressively forcing Apple to tear down the walled garden simultaneously fails to understand that this is exactly why they had it in the first place:
> You’re not affected if (and only if) . . .
> You browse on desktop computers or use iOS (iPhones)
At the very least they should step back and allow companies to enforce safeguards because they clearly lack the understanding or foresight to do so effectively.
The simple way for the EU to beat Meta is to stop being so cheap: break the WhatsApp dependency by actually paying properly for something that has a decent UX and doesn't track you. If you aren't willing to do this you will be exploited over and over again. TANSTAAFL
brookst · 20h ago
It is kind of funny that EU may well require these kinds of vulns to be present, while reacting with outrage when used.
Covert web-to-app tracking via localhost on Android (341 comments):
https://news.ycombinator.com/item?id=44169115
Washington Post's Privacy Tip: Stop Using Chrome, Delete Meta Apps (and Yandex) (328 comments)
https://news.ycombinator.com/item?id=44210689
Meta found 'covertly tracking' Android users through Instagram and Facebook (95 comments)
https://news.ycombinator.com/item?id=44182204
Meta pauses mobile port tracking tech on Android after researchers cry foul (28 comments)
https://news.ycombinator.com/item?id=44175940
Covert web-to-app tracking via localhost on Android (6 comments)
https://news.ycombinator.com/item?id=44169314
Covert Web-to-App Tracking via Localhost on Android (6 comments)
https://news.ycombinator.com/item?id=44169314
Meta and Yandex Spying on Your Android Web Browsing Activity
https://news.ycombinator.com/item?id=44177637
New research highlights privacy abuse involving Meta and Yandex
https://news.ycombinator.com/item?id=44171535
Meta and Yandex exfiltrating tracking data on Android via WebRTC (3 comments)
https://news.ycombinator.com/item?id=44176697
Ever since then I refused to install native versions of apps that could be used in a browser. I don't use Facebook or Instagram so I don't know if that works anymore, and I recall testing that they were intentionally crippling Facebook Messenger at one point.
Then the past decade of native apps requesting tons of permissions and users just clicking agree. Why should Facebook be able to read my Wi-Fi network or Bluetooth? Of course there is something shady going on. Beacons tracking people walking around brick and mortar stores. https://en.wikipedia.org/wiki/Facebook_Bluetooth_Beacon
Such a shame because native apps are so much more pleasant and performant to use than web apps.
They were/did. I was using Messenger Lite for a bit which was ok, but they killed that and the mobile browser mode.
I still need FB for some events and contacts, but I refuse to have the fat messenger app installed so now I end up using the damn thing in desktop mode which is ... painful.
All I seem to see in my feed these days is "suggested for you" so it's a lot less addictive than it was back in the day. Not sure why they're so determined to drive the user base away, but that does seem to be the plan.
The worst part is that a lot of native apps these days are just web views. You can't even be bother to use the native UI toolkit and you expect me to download your app? If this is just safari with extra steps then let me use safari!
If it ain't on F-Droid, I'll wait.
From the article:
This is only what's observably true of a particular app under the hood from straightforwardly jacking into it with Frida or performing any other deeper analysis.What's to say Meta/Google/OtherAnalyticsCorp/OtherMegaCorp hasn't already, on a large scale, colluded with[bought out] app developers to simply share session data out-of-band as another tentacle?
Rather, is it even reasonable to assume they all haven't been doing this all this time? (Maybe these also fall squarely under what GDPR, DSA, and DMA were supposed to mitigate? I'm not an expert here.. just my cynicism kicking in.)
I too go through fairly great pains to try to minimize unneeded apps on my device.
every app can scan your apps and recently opened ones "for security".
same for your contacts.
whatsapp (only meta product i need to touch in our fleet) will do both at very fast intervals, and upload a contact list diff if it detect changes.
the whole issue here was that meta bypassed the user matching on the web without paying google "cookie matching" price
> The greatest evil is not now done in those sordid dens of crime that Dickens loved to paint. It is not done even in concentration camps and labour camps. In those we see its final result. But it is conceived and ordered (moved, seconded, carried, and minuted) in clean, carpeted, warmed and well-lighted offices, by quiet men with white collars and cut fingernails and smooth-shaven cheeks who do not need to raise their voices.
The look of stunned shock on the project manager’s face is something I’ll never forget.
He was apoplectic with mixed rage and incredulity.
“How dare you refuse a direct order!?” — but now picture a red face and spittle literally flying around the room.
He immediately called my supervisor and up all the way to the CEO of my consultancy.
That’s what happens when individual contributors push back. In general there are zero legal, corporate, or personal protections.
“Do as I say or consequences.” is the norm.
In this situation I was incredibly lucky that the CEO trusted my judgement and told the PM to take a hike. Even if I had been fired I would have been okay.
Most people can’t take risks like that on principle.
That’s fundamentally why enshittification happens, and why every mobile apps’ data collection dragnet would make an NSA spook blush.
Only consequences for directors and up matter. They're the ones that need to feel the fear, not the poor outsourcer struggling to put food on his family table.
I actually think many people could, and the more who do, the easier it gets
Its better to blame the management and higher ups or zuck himself directly. Blame the people who finance it and profit from it, not the people who coded it. Follow the money
I remember finding this out as a very junior engineer straight out of university. I was once asked to write code to cheat at a benchmark to make my company's product look better than it actually was. I had deep misgivings about this, but as a brand new junior developer, I was very hesitant to speak up. Eventually I told my manager I didn't feel comfortable with the ethics of working on that project, and he was totally cool with it! He said "No problem, we'll take that task out of your queue and give it to "Jim", he'll do it instead." Jim was thrilled and wrote the benchmarking cheating code himself.
There's always someone willing to do it.
(also, is it an exciting technical challenge? It’s a POST request to localhost!)
Once I worked at a place that actually made a calculation of how much an outage costed to the company and gave it to the engineers who resolved the issue to "think" about how bad they were.
What you propose is equally confused and wrong
That said, I think fining the company seems pretty plausible. They won't, but it'd be nice if they did.
Hitmen can't just say "but I keep getting hired to kill people."
Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular. That's what allowed them to know WhatsApp and Instagram were good acquisition targets.
At this point, I think the race for Zuckerberg is, can Meta survive long enough for the next platform shift (AR or VR) where they will own one of the major platforms and won't need to abide by any reasonable rules before their "internet tentacles" that sustain the Ad Machine are cut off.
My bet is they will make it. Though I don't wish it, they're on track.
As far as replacing your smartphone with AR glasses that remains to be seen
We will just have an AI that will do everything, we just ask. "Book a flight, order a pizza and reply to my emails" boom, done.
They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
Unlike this case, it required users to jump through a number of hoops/scary iOS warnings. Many still did, for a gift card or less.
Incorrect. An Israeli startup (Onavo) had pivoted into selling data acquired from their VPN got acquired by Facebook. Importantly, they used statistics to estimate population prevalence which is how FB knew that Whatsapp (specifically, this was all post IG acquisition) was super popular outside the US.
> They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.
This was (sadly) an entirely different scandal.
Honestly, I generally defend Meta/targeted advertising in these threads, but this one is such incredible, total, absolute bullshit that I can't even begin to comprehend how one could defend this.
I do remember when I joined FB in 2013, how surprised I was that most of the company didn't care about ads/making money (apart from the sales org). That ship has clearly sailed.
These kinds of things now point me in a direction where I consider advertising alone to be immoral and want it banned. I should have to request information when I want it, rather than being exposed to it at all times on every available surface.
There are only three ways this can go: 1) more frequent and more spookily relevant ads, increasing the number of people who feel that ads should be illegal because of the law breaking required to make it happen. 2) ads don’t change and everyone quickly learns to ignore them. 3) ads go away, replaced by an easy to use marketing information delivery system where only adults can request information unsupervised.
Meta do #1 because #2 and #3 mean the capitalist line doesn’t go up and the end of Meta, respectively. Meta view both of those as the same thing: the end of Meta.
“What about all the businesses which need advertising to survive?”
If they need advertising to survive they’ve been on borrowed time long enough already.
Advertisements encourage the shit Meta is doing. What kinds of similar things are they doing that we haven’t discovered, yet?
They have a history because the punishment has never dissuaded anyone from being repeat offender.
So maybe they're growing fast? Nope. Their better selling product, at 14 million of those 20 million is the Quest 2 which has been discontinued for 9 months. Doesn't sound like explosive growth to me when your best selling product is not your current product.
> Why I left FB,GOOG,Whatever
>> Author describes seemingly abhorrently unethical and immoral practices they were completely ignorant of, occurring right in front of them that they were a key participant in.
>> Accepted a massive salary to be ignorant.
>> Shocked as all fuck about ethics and implications.
>> Returned 0 money, cashed out.
>> 100% ethical now.
The plan isn’t without flaws, but nobody ever even wants to discuss, they just cut off the conversation early.
Licensing would raise your costs and restrict your choices, while having absolutely no effect on issues like what's being discussed here. You would just get a more expensive Torment Nexus that may or may not be slightly more secure.
1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.
2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.
1a. Arbitrary apps can listen on ports without permissions.
1b. Arbitrary apps can access local ports without permissions.
I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons. Random websites shouldn't be able to access services running on localhost.
Let me introduce you to https://www.qubes-os.org/.
But even with those technical issues present, Facebook shouldn't have done this.
Just to clarify: you need `android.permission.INTERNET`. This is a default permission (granted by default at install time with no user interaction).
GrapheneOS allows this permission to be disabled.
As far as I'm aware, you can't lock this down to 'allow only intra-app communications via localhost', please let me know if I'm mistaken.
Getting through VPNs and incognito mode are the most egregious parts of this offense, though. I think some people are under the impression that's a way to act like you're in total privacy... but it's not. It's just an easy way to act like you're in a new browser session or coming from another location, mostly.
It should be for the average person. VPN and private browsing should be enough for what most people use it for. I don’t think it’s fair to expect people to think that the browser is secretly communicating with apps on their phone, tying all behavior to their identity.
If it was possible for this to happen in the past, we have reason to believe that the technical capability to link behavior with identity still exists. What’s “unfair” about informing others about the limitations and risks of using a device online?
Some people hate apps running in the background and they terminate all apps as soon as they are done using them.
Crazy to deploy a hack like this at the scale of Meta.
Of course the website owner wants the tracking, but I think they should also be a guilty party here next to Facebook, even if they just bought the service.
- How come Yandex was doing it for years without being noticed.
- Facebook must have known about this technique for years as well, why did they only enable it last year.
EDIT: Ok probably because it basically is a repost. I just haven't seen it 6 days ago.
I have seen that if a company is called out by name, in an inflammatory manner, the posts tend to drop out quickly. Sometimes, they come back.
Conspiracy theorists say that only happens with YC-backed companies, but that may be selection bias. I have seen stories that call out a number of companies, disappear quickly.
It's hard to say if that's OK or not. I think some of these stories are really nothing more than "hit pieces," but some of them are really on the money.
Why is this very news is not in the HN front page for considerable amount of time is beyond me.
It has the right recipe for top HN post namely users deception, sandbox bypass, privacy or lack thereof, web browser, Meta, etc.
The native Instagram and meta apps start a server listening on predefined ports when you launch said apps, they eventually run on the background as well. When you are on your browser, whether in private more, not logged, refused or disabled cookies, or anything else that might make you feel like you are not being explicitly tracked, the browser will connect to the locally running servers through webrtc and send all tracking data to said servers from the browser.
The android sandboxing thing is basically about how Android isolates each app and should only allow communication through android intents that inform the user of such inter app communication, such as sharing photos and the like. In this case, the browser is communicating with Instagram and Facebook apps without letting the user know.
The legal infregement here is that this happens even when you refuse to be tracked, which is a violation of GDPR and another law mentioned in the article.
The 32B figure is a theoretical maximum (but they also mentioned 100B+ in the article, which confuses me).
In practical terms this is a privacy leak a couple bits more informative but slightly less robust than "these requests are coming from the same IP address."
> Android has many flaws, but in the relevant part here, it’s specifically designed to prevent apps from doing this — from listening to local ports like localhost.
to mean that they could not do it via HTTP, and instead had to circumvent Android's privacy measures via WebRTC.
Serious question. I don't generally mind paying taxes and all that. But in this case I feel I am the person offended and I should get some kind of compensation. I'd say €1-2000 would make me feel somewhat compensated.
I was hit by a hit-and-run while driving my car. Totally destroyed the back-end.
I personally investigated and gathered info/videos to figure out the car and plates because the police essentially said they couldn't be bothered.
After finding out the owner of the car the insurance company said that under their criteria it was no longer a hit-and-run and I'm not covered by them. The person did not have insurance.
The law here is the owner of the vehicle faces a $2000 fine, plus the $2000 fine for a vehicle being operated without insurance. I was subpoenaed as a witness (lol) to the hit and run, for which I had to take a day off work.
So, the government earned a cool $4000 for my troubles, and i was out a $3000 car and a day of work.
I've since accepted that fines are just a lazy blunt instrument that serve as nothing more than a deterrent; not a way to fix past injustices. Maybe obvious but still counter intuitive when you're the wronged party.
For me I think a personal handout would also serve as a kind of apology. I guess this is what I am after.
"We purposefully infringed your privacy by breaking the law. And made a sh*tload of money because of that violation. Here is the money back with some extra compensation. We are sorry. We promise to never do it again."
Personally I would like to see some execs go to prison, rather than taxing/fining a monopolistic corporation, which achieves nothing.
I guess what I am looking for is some kind of personal apology. And that could be manifested in a refund to mu bank account. As I explained above.
I don't think sending people to prison helps much.
A personal check would open the eyes for a lot of people and make them realize that this company committed a crime. Against you. And you are worth it.
But, for OS that we've developed later, we kind of decided that's a problem, and applications are a vector for malware, and "trust" just isn't enough. So Android and iOS did the whole permissions thing.
Now, we've gone back and added some stuff onto desktop operating systems. Of course Linux has containers these days on desktop. Like, I'm running Firefox right now - but Firefox can only access it's runtime folders and ~/Downloads. So, if there's a zero day sandbox breach, I won't get data stolen. There's also SELinux and Apparmor and stuff and you can really jump into the deep end with this.
But, we largely view it as unnecessary because we're running open-source software from trusted repositories. We probably shouldn't view it that way.
1. Companies have no soul. They are, by design, just chasing revenue. Everything else is just a risk to be factored.
2. There are real humans at these companies who choose to take part in the business and design and engineering, etc.
I don’t think these humans have no soul (though some won’t), and I don’t think they’re stupid (though some are). I think it’s just very, very easy to create a system of people collectively doing evil things where no one person carries the burden of evil individually enough to really feel sick enough with what they’re contributing to.
I disagree - companies are set up/run by people, and those people define company culture/ company culture reflects those people.
Not all companies, even big ones, are the same.
To make that concrete - if Mark Zuckerberg found out about the above activity and was appalled and sacked everyone involved that would send out a very strong signal.
Note this particular method can't be a rogue one man job - it requires coordination across multiple parts of the Meta stack - senior people had to know - which would point to a rotten culture at Meta emanating from the top.
We know from another case that the opposite culture is true: when told to break the law and use copyrighted material, the engineers feel uneasy - they were not stupid and understood what they were going to do, and for a similar-in-nature-but-a-few-orders-of-magnitude-smaller things Aaron Schwarz was facing prison time. So they expressed their concerns upwards but they were told to proceed anyway.
People made that decision.
People are human beings, and we are all prone to bias and bribery nwhen big sums of cash are dangled in front of us.
So the problem here is to transform a moral incentive into a financial one. A strong outside regulator who will stand its ground can do this, by imposing a meaningful financial penalty to punish the legal/moral transgression. This is why regulations and regulators with teeth are vital in a capitalist system.
I'm not holding my breath here. Regulatory capture is a thing. OTOH, Trump's undiplomatic approach to the EU may wind up costing Meta. We'll see.
Not in my experience. Even investors are people too ( or the investment companies reflect the values of the people running it ).
Sure there are people who believe the only role of a company is to make money ( eg Milton Friedman ). However that's an opinion - not a fact.
Other people have different views and run their companies, or place their investments, accordingly.
Even if you believe all that matters is the bottom line - you still might take the view that doing reputational damaging stuff like this is bad for the long term bottom line.
That's not to say that I don't agree with you that companies will face pressure over the bottom line, and outside regulation is absolutely important. However you should realise that part of running a large public company is aligning your investors to how you want to operate. If you want to take a long term ethical stand then you attract those type of investors and try and get rid of the short term money men.
Like, attracts like.
Why do you separate regulators from describing incentive system? The incentive system is also woven into them, and if anything, the incentives for regulators go in a much more sinister direction than for any capitalist company.
Profit-seeking companies are forced to satisfy customers that have their economic freedom. But what about regulators? Their primary incentive is to remain in a position of power, their primary tool for achieving their goals is forcing.
The economic freedom of all agents is a powerful disincentive. And even with it, we see abuses by capitalist companies. But what about regulators, whose disincentives are much weaker, and whose main tool, moreover, allows them to destroy even this weak disincentives? Fixing capitalism's incentives with regulators is like curing a cold with cancer.
https://youtu.be/f3DAnORfgB8
amongst other things...
Which is why I don't think punishing just the company itself is enough. The engineers, designers, PM's that implemented this should also receive punishment, sufficient enough to make anyone thinking of participating in the implementation of such systems has reason enough to feel sick, if only for their own skin. Make it clear that participating in such things carries the risk of losing your career, a lot of money, and potentially even your freedom.
Now they may argue that they didn't know - but you can frame the law such that's it's their duty to know and ensure this sort of stuff doesn't happen.
cf Sarbanes-Oxley
My feeling is that corporate officers should bear the burden that the corporation as a person currently bears. I can only imagine how much better things would be in past experiences if the C-levels felt a personal need to actually know how the sausage is being made.
Some of the responsibility lies with us, and we need to not pretend that's not the case.
If you, as an employee did this - maybe you'd add a few dollars to your stock options over time. If your Zuck - that's potentially billions.
And in terms of downside - if you are Zuck and stop it in the company - there is no comeback - if you are an engineer blowing the whistle - you may find it hard to work in the industry ever again - and only one of those two actually needs to work.
There are specific crimes, and there are specific people who planned this crimes, specific peoples who ordered them to be carried out, and who carried them out. And these people should be held accountable for these crimes. Even if they work 60 hours a week for minimum wage and would have been fired if they hadn't committed them. They should have quit in such cases, not committed crimes.
And on the other hand, if your employees, without your knowledge, somehow decided that the only way they could reach their targets was to commit a crime, why should you be held responsible for that? Even if you have 20 megayachts and your employees work 60 hours a week for minimum wage.
Thats where "known or should have known" becomes relevant. It's your company, it's your responsiblity to know what they are doing.
There is a substitution of one real crime, committed by real people, for a crime "they didn’t know, but should have" against other people, for which there is no real responsibility, while the real criminals are declared to be simply "cogs" in the system.
As a result, no one is held accountable for a crime for which dozens of people who directly committed it could go to prison for many years, because the person held responsible is a high-ranking manager who "should have known, but did not know," who himself issues "a severe reprimand" or assigns a tiny fine for it.
Thus, the entire system is drowning in crimes, the commission of crimes becomes a REQUIREMENT of the system and the commission of crimes becomes a guarantee of the loyalty to the system.
I think anyone would agree that there’s a level of flagrantly where individuals should feel culpability and make the right choices (“write software to prescribe poison to groups we don’t like”).
But something like this? Two apps establishing a comms channel? How many millions of times does this get done per year with no ill intent or effect? Is every engineer supposed to demand to know l of the use cases, and cross reference to other projects they’re not working on?
At some point it’s only fair to say that individuals should exercise their conscience when they have enough information, but it is not incumbent on every engineer to demand justification for every project. That’s where the decision makers who do have the time, resources, and chatter to know better should be taking at least legal responsibility.
I agree that the junior engineer implementing a localhost listener on Android might not understand what it is going to be used for and might not even think to ask. But somewhere, a senior engineer or PM or manager knows, and yes as you say that's the point where responsibility can be assigned, and increasingly up the line from there.
Frankly, that's what the money's for.
GmbH - Society with limited liability (german, translated)
This liability shield is by design.
[1] https://m.imdb.com/title/tt0379225
I think the key aspect of a company with “soul” is humans directing the company rather than the company directing the humans.
I think the biggest inflection point where this flips is when companies “pivot”.
The human founders of a company should have a well-defined philosophical Vision of what it is they are building and who it is for. If this doesn’t work out, the business should be terminated.
It is the zombie husks of corporate organizations that have been repurposed to other ends by finance that are dangerous.
I suppose since diluting accountability aligns well with making more money by allowing shadier activities it naturally happens "by accident", but I also think it's quite deliberate in many cases.
Some companies do have soul, and some pockets within big companies do. Patagonia, of course but even some big companies like Unilever are surprisingly soulful. They’re the exception maybe, but it’s not like companies have to be amoral.
In tech, there used to be a ton of borderline hippy companies, including Apple and Google. There are probably smaller ones now, but growth and pressure and wealth does seem to squeeze the soul out of places.
They're sellouts and traitors.
Then there are people who will take to pondering what it means to be a sellout in a disingenuous manner. They act like it takes a haughty philosophy club to stroke their beards, reinvent paid labor from first principals and through motivated reasoning discovered "sellout" isn't that all that bad. And it turns out everyone sells out one way or another, so it's a wash what line of work you go into anyway.
Now those are the people who have no souls.
For some its evil, for others its an interesting itch to scratch.
Also not included:
https://www.courtlistener.com/docket/70448987/1/rose-v-meta-...
The wiretapping claims carry damages of $5,000 per violation.
It could be he thinks this is laughable like the ePrivacy Directive.
https://www.reuters.com/technology/metas-facebook-pay-90-mil...
https://dicellolevitt.com/case-study/facebook-agrees-to-pay-...
@dang maybe add a $ to the 32B? I see B so often with AI Models that I think the currency symbol would be useful in this link title
This was 15+ years ago now but Verizon (and others?) used Flash (because browsers still shipped with support for that in the 2000s) to create an undeletable cookie. This was settled for low 7 figures.
Privacy legislation has advanced a lot since then and the EU doesn't play around with GDPR violations, particularly when it's so egregious. I don't expect a $32B fine or settlement but it won't surprise me if this costs Meta $1B+.
[1]: https://www.propublica.org/article/verizon-to-pay-1.35-milli...
Definitely not even close to 32B
1.2 billion fine for an earlier incident: https://www.edpb.europa.eu/news/news/2023/12-billion-euro-fi...
It must be low enough that Meta never seriously considers to pull out of Europe.
Why? Threathening is one thing, actually leaving one of the largest markets is something different. Also, not much of value would be lost.
> Something that you can sensibly express as a fraction of the revenue of Meta is significant though.
Also, if the percentage is low, it just becomes the "cost of doing business" and not a fine that would actually make them rethink and not do stuff like that again.
Of course the concern would be that even at that rate some companies might see it as a cost of doing business.
...
>You always used the Brave browser or the DuckDuckGo search engine on mobile
How does choice of search engine protect from this?
I don’t use android or either of those browsers but my guess is that either block the tracking pixel from loading in the first place or they’re more locked down on what they allow websites to reach out to (aka no Localhost access).
>You’re not affected if (and only if) ...
>You always used the Brave browser or the DuckDuckGo search engine on mobile
What's the point of being Google or Apple except for precisely control of such central services?...
♪ Central Services, we do the work, you do the pleasure... ♪
"Have you considered your ducts?"
...And it just so happens that all the news you see is from the device and subject to this surveillance used to colonize your mind... Sounds democratic!
The old Politburo could only dream of such tools for maintenance of a compliant, obedient proletariat.
And with Central Services new "AI" you can get a brain implant to ensure your perfect conformity and access to the best paying jobs in the world, yours and your family's future will be secure. Be sure to invest in these securities, shop here, entertain and vacation there— leave the driving to us! Do it your way.
"A new life awaits you in the Offworld Colonies. A chance to begin again in a golden land of opportunity and adventure. So c'mon America..."
"...Every leap of civilization was built off the back of a disposable work force..."
Absolutely not. The law is still the law. The fact that Meta is able to break the law via technical means doesn’t mean victims deserve to be victimized.
Just because someone is able to pick your lock at night doesn’t mean you deserve to be burglarized.
which is it? you contradict yourself in a single sentence.
And the bar is high for the average person, who isn't much tech savvy at all.
People: "Oh there is a poisonous substance in the water. Many people harmed" Your answer: "Yeah, why don't you have a degree in water safety, in the first place plebs? I take samples every week."
GDPR doesn't work like your imaginary all-expert world. Facebook should and hopefully be fined to nonexistence.
> You’re not affected if (and only if) . . . > You browse on desktop computers or use iOS (iPhones)
At the very least they should step back and allow companies to enforce safeguards because they clearly lack the understanding or foresight to do so effectively.
The simple way for the EU to beat Meta is to stop being so cheap: break the WhatsApp dependency by actually paying properly for something that has a decent UX and doesn't track you. If you aren't willing to do this you will be exploited over and over again. TANSTAAFL