Why We Disagree with The New York Times

Facebook’s response seems perfectly reasonable to me.<p>- Obviously in order to integrate FB functionality into a Mobile OS UI requires an API to render the data being displayed.<p>- If your phone has a home screen widget which shows friend data, obviously that friend data came from a Facebook API call.<p>- If you type your Facebook username and password into a settings dialog in order to enable that home screen widget to function, that’s pretty obviously consenting to enable the functionality.<p>- There once was a day when we <i>demanded</i> our social media platforms to provide these “open access” APIs to specifically allow for accessing our own social feeds on our own devices.<p>We trust our user agents to render our private information on our devices. Sometimes we even trust our user agents to leverage network services to improve the on-device performance (i.e. Amazon Silk)<p>If and when user agents exfiltrate our personal data off device for data mining purposes (i.e. Chrome Omnibar) it should be disclosed and opt-in.<p>It sounds like Facebook provided an API to device manufacturers to allow them to deeply integrate social features on device. This has historically been considered a Good Thing. It sounds like they put together a legal agreement that required these device manufacturers to take due care in implementing these features to protect user data. Also seems like historically this is what we would call a Good Thing.<p>When you enter your username and password in order to view your Facebook feed — that’s called a “user agent” and that’s something <i>appreciably</i> different than a third party quiz app sucking in friend feed data.<p>However, Chrome Omnibar aside, user agents are not expected to exfiltrate data in any way, and if that occurred, that would indeed be a story I’d like to read, and my ire in that case most certainly wouldn’t be directed against <i>Facebook</i>.

I had a Windows phone that used these API&#x27;s. When Windows Phone 7 came out, Facebook didn&#x27;t create the Facebook App for that OS, Microsoft did. It looked like what you expected Facebook to have built and it worked like the Facebook App that other platforms had. The whole purpose of the API agreement with Microsoft was to guarantee that the Facebook App they wrote would still work years down the road. Microsoft did not have access to my data. They were allowed to write an app that allowed ME to access my data.<p>The NY Times article makes it sound like Microsoft was allowed access to my data. They were not. They were allowed to create an app that had access to an API so I could access my data from the Windows Phone device.

I unexpectedly agree with FB here.<p>If NYT are correct then we can kiss goodbye to APIs that are used by any services that are not explicitly written and signed by the service provider. In the extreme that means you won&#x27;t be able to log in to facebook on the web, only via a facebook app, because there&#x27;s no guarantee that a 3rd party web browser isn&#x27;t stealing data. That goes for any and every service dealing with personal data, and we pretty much lose the open web.<p>I want to protect user&#x27;s data as much as anyone, but if a user deliberately installs a 3rd party app and enters their credentials into it, then they are consenting to that having access to their data under that app&#x27;s privacy policy&#x2F;terms. This should be obvious to all users, especially where GDPR advice has been implemented.

The limited responses so far in this thread only reinforce many companies decisions to pull support for public apis. How many years have developers been complaining that twitter and facebook have been restricting access to apis for 3rd parties, but now all of a sudden they&#x27;re evil for ever offering apis to begin with?

I&#x27;m no huge Facebook fan - hardly use it these days, but...<p>These apps are just alternative Facebook clients. Don&#x27;t we _want_ a system where you can use different clients to access your own data?<p>If the problem is not trusting the client, well, that&#x27;ll be a problem for any such system, even some utopian fully open, distributed and federated social network - until you build an open source client yourself.

Crazy that everyone in here is defending Facebook.<p>- How on earth does Facebook justify giving direct API access to information that users have, in every setting possible, marked as private?<p>- How on earth does Facebook justify offering deep API access on users who have literally disabled API access to their data?<p>It&#x27;s ridiculous, and it&#x27;s more ridiculous that users here are conflating &quot;basic API access with a sane permissions system to give you control&quot; with &quot;deep API access with no privacy controls whatsoever that openly defy existing privacy controls&quot;.<p>It&#x27;s not acceptable, and frankly, this is EXACTLY why government regulation of data online isn&#x27;t a possibility, it&#x27;s an inevitability. Because when the penalty for ignoring the user&#x27;s selection of &quot;DO NOT MAKE MY DATA AVAILABLE OVER THE API&quot; and &quot;DO NOT MAKE MY DATA AVAILABLE TO FRIENDS OF MY FRIENDS&quot; etc is now billions of dollars in damages and potentially criminal charges for executives, <i>magically</i>, these violations will stop occuring.<p>Until then, everything in this document is either a lie or sufficiently legalese&#x27;d that it&#x27;s worthless, just like the lies that they told to Congress, just like Zuckerberg&#x27;s lies to E.U. as well.<p>I cannot wait until it is a crime to share private user data against their will. We live in a wild west and the past 10-15 years are proving just how much sheer damage we have caused in society by not criminalizing disrespect of digital privacy.

This is the same they said about Cambridge Analytica initially... but you can&#x27;t just blindly trust others (in this case apparently 60 companies got priviliged access). If it&#x27;s technically possible, then someone will do it. When your data is gone, its gone.<p>How naive is Facebook really?

Facebook&#x27;s making the distinction between allowing a device to offer Facebook-like services (which require Facebook functionality) and third-party apps that suck up all your friend data.<p>On the one hand, Facebook&#x27;s got a point, that if you want to be able to use Facebook on a device without going through the Facebook app or the website the device needs to be able to authenticate onto some sort of API.<p>On the other hand, the NYT article makes the claim that the makers of the devices got access to the Facebook data, writing &quot;Facebook acknowledged that some partners did store users’ data — including friends’ data — on their own servers&quot;. However, Facebook never followed up on that in their article, just pointing out that if you are logged into Facebook on a BlackBerry that the BlackBerry can make the same requests you could if you were logged into Facebook through the web browser.<p>The question that matters which neither side addresses well is how much of that data makes it to device maker servers (for a while, the NYT homepage was claiming &#x27;dozens&#x27; but they removed that and it doesn&#x27;t appear to be substantiated in the article).<p>There are related worries with the device having access to the Facebook data itself, but at that point you need to start worrying about malicious activity by device makers in general. E.g. will my phone start sending my web history back to its maker as well? my bank account numbers?

It seems they don&#x27;t really disagree but are simply saying, its not as bad as you think. Is there anything factually incorrect in the New York Times reporting?

NYT says: ‘Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found.’<p>FB says: ‘Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends.’<p>This is the only disagreement as I can see.

Incredible, they are using the current controversy to represent their locking down of the API in a good light. Facebook didn&#x27;t restrict their API because they were privacy-conscious. They restricted it so you could not build experiences they did not want:<p>- You cannot sync your address book contacts with facebook in order to get profile pictures (you used to be able to do this)<p>- You cannot write an alternative Facebook client (with a better timeline, no ads, ...)<p>- You cannot write a complete bridge to another social network (e.g. implement Federation)<p>- You cannot build a P2P (serverless) application over Facebook. E.g. a chat, or something to send a file to a friend on Facebook, or to initiate a TeamViewer-like session.<p>All of these are either explicity forbidden by policy, or have been closed by specific changed to their API.<p>To be honest, I don&#x27;t care too much that people were able to scrape data I put up voluntarily. The German Facebook clone was called StudiVZ - Student&#x27;s Directory. This sounds a lot like a telephone book, and that was the mindset and expectation I had when signing up to Facebook. Create and curate a profile for friends and friends-of-friends to see, and I didn&#x27;t care much if others saw anything, because it was irrelevant to them. I mostly cared about meeting people - being found, and finding other people. In this light, I&#x27;m more concerned about data freedom than data protection. While the latter is important of course, it&#x27;s unfortunate that the former is always forgotten.

A lot of people are missing the point, debating whether this was reasonable or not.<p>Mark got away with telling Congress ~&quot;we don&#x27;t share with third parties&quot; and now they&#x27;re saying Blackberry&#x27;s not a third party.<p>If it&#x27;s all okay, why didn&#x27;t Mark come clean? and tell his Congressmen? He had a chance to explain this arguably-harmless behavior, but he chose to sidestep it. Why? Did he not understand the question?<p>It&#x27;s fine that this data-sharing is maybe reasonable. It&#x27;s not fine that Mark withheld this from Senators. This is <i>exactly</i> what they were asking about, and given the chance to <i>explain</i>, he chooses silence. He gets to avoid the public debate while the techies argue amongst themselves.

In this specific instance, the Times article might be overblown.<p>They specifically mention that they were able to use BlackBerry Hub with a reporter&#x27;s account to query Facebook data. The article never states whether BB Hub connects to Facebook directly, or whether it receives data from a BlackBerry-operated service.<p>The latter case is clearly user-hostile. If BlackBerry (the company) can read user data and Facebook claims not to allow 3rd-party access, then that is bad, and it should be treated as a breach of the user&#x27;s trust.<p>The former case is more complex. As a user, I care a great deal that I can access Facebook using my choice of browser, whether that&#x27;s Chrome, Firefox or Edge. I shouldn&#x27;t be limited to the top three either. Some users may prefer a browser that works with their screen readers, others may prefer the built-in browser in their smart TV, and others yet might prefer a unified messaging app, like BB Hub.<p>The distinction between what happens locally or in the cloud is often unclear, and it&#x27;s not getting any better. Chrome on Android wants to accelerate mobile connections by routing them through a compressing proxy. I can get an extra-secure version of chrome from authentic8 to protect against malware, with the caveat that it runs in their datacenter.<p>I feel that the tech industry in general, and Facebook in particular are struggling to tell users what happens with their data. Sometimes it&#x27;s because things actually are complicated, and sometimes just to hide obvious overreach. The obvious blowback: complaints, strict regulation and mistrust. As the people who build and run systems, we should strive to do better. Regain the trust lost by past mistakes, and get back to the point where one could realistically apply hanlon&#x27;s razor to reports of user surveillance.

The author does not provide a link to the NYT article to which this is a response. Maybe it was just an oversight.<p><a href="https:&#x2F;&#x2F;www.nytimes.com&#x2F;interactive&#x2F;2018&#x2F;06&#x2F;03&#x2F;technology&#x2F;facebook-device-partners-users-friends-data.html" rel="nofollow">https:&#x2F;&#x2F;www.nytimes.com&#x2F;interactive&#x2F;2018&#x2F;06&#x2F;03&#x2F;technology&#x2F;fa...</a>

This is a really interesting moment and is worth some introspection.<p>On one hand, Facebook is clearly correct: If FB makes an API, and a user gives an application (written by a third party and run on a fourth party&#x27;s device) their username and password, then FB cannot be blamed for the application using the username, password, and API to retrieve private data. Indeed, that&#x27;s the point.<p>On the other hand, appearances make it look like Facebook is hiding some things: why is this not a public API? What trust are you putting in these third parties, what are you giving them that not everyone would be trusted with?<p>But most of all, people are waking up to the vulnerability of their private data. They are realizing that some things they&#x27;ve been taking for granted for years are dangerously insecure. So we have users, such as reporters, suddenly realizing that their device has access to all the data you view on it. Any third party app you give your FB uname&#x2F;pwd to has access to everything on your Facebook, and the only limitation is whatever their terms of service are. (So does any software that app runs on top of.) Coming to this realization, we see backlash not always correctly directed. It would make at least as much sense to call out those third parties rather than FB, and ask them to prove they do nothing nefarious with this trust.<p>Is it too optimistic to hope this will stir mainstream interest in free and open source software?

In this FB response, they seem not to disagree with any of what the NYTimes had to say. This is called justification, not disagreement.

Your real data has already been mishandled by anyone from banks to healthcare providers to governments. This mass hysteria about FB is just silly nuisance constantly getting blown out of proportions by turf wars between FB and traditional media Oh and this particular case FB is calling the nyt fake news

The fact that you can&#x27;t read messages (without switching to &#x27;desktop mode&#x27;) on their mobile web app is such horse shit. Yuck.

&gt;These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences.<p>Two people you don&#x27;t know made a deal about how to use your information without telling you. There is no reason to think they are going to keep that deal, no reason to think anyone is actually checking up on your information, and no reason to think either of them cares... and no way to know if anyone actually keeps the deal... and probabbly no recourse even if you did know someone broke the deal.

As a non-user of Facebook, I completely take their side with all of this.<p>1) If people don&#x27;t want to read the fine print, whose fault is that? 2) How have we gotten to a point where we are abdicating our choice voluntary, and then acting begrudgingly toward the new owners when they misuse it?<p>I must apologize for my cynicism here, but we&#x27;ve been going around this mountain for a very long time now (circa 2013 IINM?). I&#x27;m getting tired of hearing how people are feeling violated due to their own actions.

Correct me if I&#x27;m wrong, but my impression is that this all comes down to one basic question:<p>Does a Facebook-approved &quot;mobile experience&quot; count as an official FB app or a third-party app? It seems to me that the FB post is trying to frame it as the former, and everyone who&#x27;s upset is trying to frame it as the latter.<p>Is that what this entire disagreement is about? Because if it is, maybe it would help if we just focused on that question.

I didn&#x27;t read&#x2F; watch the testimony before Congress. Did they flatly claim that &quot;we no longer share private information with third parties&quot;? Because if so, this post seems to confirm that that was a lie, even they give (arguably) good justifications here for why they share private information with some third parties.

This is the article that this article responds on: <a href="https:&#x2F;&#x2F;www.nytimes.com&#x2F;interactive&#x2F;2018&#x2F;06&#x2F;03&#x2F;technology&#x2F;facebook-device-partners-users-friends-data.html" rel="nofollow">https:&#x2F;&#x2F;www.nytimes.com&#x2F;interactive&#x2F;2018&#x2F;06&#x2F;03&#x2F;technology&#x2F;fa...</a>

Perhaps Zuck isn&#x27;t as bright as we all think? This reply is far too tech-heavy, and jargon-littered to be taken seriously as a reply to something as mainstream as the NYT.<p>Their PR problems aren&#x27;t rooted in SV, yet that&#x27;s who this is targeted to. It doesn&#x27;t make (good brand) sense.

Security related issues need some time to investigate and to produce a proper report. This post seems like a knee jerk reaction. Actually, while this sounds like more PR fluff in a poor attempt to stem more scrutiny, I&#x27;m confident that there will be more reports from other sources providing a stronger case against Facebook&#x27;s claim on this topic. This post makes it clear that Facebook is clueless if there are any weaknesses or breaches (despite shutting down 22 partnerships).

The New York Times should be ashamed of itself. Facebook let companies like Apple integrate with their platform.<p>To do so, these companies sent the same sequence of bytes from your mobile phone to the Facebook server, as the Facebook app does, or as any person can do. I can write my own Facebook app today, and there is nothing that Facebook can do about it, except sue me.<p>THAT IS A GOOD THING. LITERALLY FIVE MINUTES AGO THE COMMUNITY WAS FIGHTING IN THE COURTS FOR PACKAGES SENT OVER THE INTERNET TO NOT BE CRIMINALIZED.<p>Remember the whole thing about violating the terms of services of a company which forbids scraping making you a criminal hacker?<p>The only thing Facebook said to Apple is: Let&#x27;s make a deal, we will not sue you, you put our logo into your phone, also we promise not to break your app.<p>No data was given to anyone! This is literally my iPhone&#x2F;Samsung&#x2F;Blackberry running an app that gives ME access to MY Facebook data.<p>It doesn&#x27;t even go to Blackberry&#x27;s server! The nerve of people to pretend as if the data ON MY PHONE is someone in the hands of a third party, as if my phone really belongs to the manufacturer. Again, we used to be fighting for the idea that these devices should belong be unlocked, should be under our control. Now you guys pretend that data my phone downloads from Facebook is somehow a violation because I decided to use an app that someone else wrote.<p>There is no possible universe in which that is bad. Think about the ramifications of these new ethics that people suggest here.

&quot;<i>Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends.</i>&quot;<p>Hasn&#x27;t FB had a history of assuming the decision was positive if the user didn&#x27;t opt out, through a difficult procedure?

Oh I am so sad, Facebook is “victim” of lies and poor reporting, let me get my tiny violin.<p>Facebook lies every possible time, it’s built into their perverse business model. Even if the article was actually wrong, it’s only fair that they get a taste of their own medicine every once in a while.

It is, of course, useful to remember that &quot;These partners signed agreements that prevented people’s Facebook information from being used for any other purpose&quot; was ostensibly the back-stop against the mass-harvesting undertaken by Cambridge Analytica, also.

I feel the response is similar to Apple&#x27;s antenna-gate. Using competitors along to prove their point. Could have communicated better. Good that they took steps couple of months ago to close their legacy APIs. That&#x27;s the only key takeaway from the post.

&gt; It’s hard to remember now but back then there were no app stores.<p>Bunch of nonsense. Of course there were.

A bit off-topic, but it bugs me how the picture in the article shows a Blackberry Bold running the BB10 OS, which never supported such device. I wonder why they showed a (probably) photoshopped device instead of a real one.

&gt; All these partnerships were built on a common interest — the desire for people to be able to use Facebook whatever their device or operating system.<p>Facebooks best interest, not &#x27;common interest&#x27;

&gt; These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences.<p>That is a big door and a pretty open use case. I am not buying into &quot;and this is actually good for the users&quot; story.<p>To me, FB must clearly choose how to handle this: (A) &quot;we made a mistake, sorry; we will fix it&quot; or (B) &quot;this is working as designed; if you do not like it, go away&quot;. They could probably justify either case both internally and externally (better ethics vs better revenue), but trying to stand in the middle as they have often done in the past will likely backfire. Buy more popcorn. My 2c.

Who in their right mind would trust Facebook over the New York Times? Try again Facebook. I’m kind of glad they are doing this, I think it will speed up their decline in the end.

&quot;We Disagree&quot;: the last refuge of a company&#x27;s defense when they have absolutely nothing else to counter or rebuke their opponent&#x27;s argument.

It seems like a lot of Facebook employees are commenting on this thread. I wonder if they have tools to influence the public argument similar to the Russians.

I wouldn&#x27;t be worried about BlackBerry, it&#x27;s Samsung. I will never use their phones again with their fingers over every part of the Android pie.

I don&#x27;t have high expectations for a company that says they take privacy seriously while constantly invading it and playing dumb.

People don&#x27;t read terms of service. In using your phone who knows what you agreed to let your phone company do with your FB data.

So will Facebook take legal action against these companies who violated their service agreement?

Imagine if this same thing happened with Microsoft and imagike people’s reactions.

lol where are these people back then when Facebook released the APIs? I bet even if they were asked to give consent, they would not be able to foresee what&#x27;s happening today.

Their argument here is basically like being accused of murder and using &quot;since murder is illegal, we did not murder someone&quot; as a defense.

&gt; This took a lot of time — and <i>Facebook was not able to get to everyone.</i><p>Spoken like the true Anti-Privacy Overlords they are. :(

writing this was a mistake. this is clearly a deceptive pr spin fluff that is entirely non-responsive to the specific concerns raised in the new york times article.

It reads like a long defensive argument, &quot;how else did you expect us to make huge sums of money&quot;? It is exactly as tone-deaf and legalese as you would expect. There is no new information here; Facebook says legal contracts actually protect your data so it can&#x27;t go anywhere, &quot;just trust us&quot;, etc.<p>&gt; These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences.<p>That sentence does not make any sense. Signed agreements <i>do not prevent</i> your information from being used in other ways. That&#x27;s insane, literally.<p>&gt; Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends.<p>In the past, Facebook Legal has stated that once a Facebook user has signed up, they consent to having psychological experiments performed on them with no further notice or direct consent. Facebook has acted on this and intentionally made hundreds of thousands of people fall into a depression, just to see if they could, and then they bragged about it. The sentence quoted above <i>actually</i> means &quot;friends’ information, like photos, was only accessible [whenever and however we wanted to]&quot; as Facebook considers those people to have <i>already</i> &quot;made a decision to share their information with those friends&quot; when they signed up.

&quot;Because we&#x27;re paid to&quot; - FB PR team

Funny they don&#x27;t like fake news when it&#x27;s about them.

In every situation, people from Facebook would probably be better off if they didn’t talk.<p>This article is really just skeezy. Reads like “we were just doing all the stuff you accused us of, but it’s ok because we are huge creeps too.” It’s so cringe-worthy.

The one thing I really miss since leaving fb in March, are the groups. Things like playing in local sports pickup games are easier because everyone has fb so the groups were more active. I now use my wife&#x27;s account for this, but I really wish another option had some traction, then I could leave fb forever.