DEV Community

Cover image for This Facebook Security Breach was "Intended Functionality"

This Facebook Security Breach was "Intended Functionality"

Michael MacTaggert on September 29, 2018

In the wake of Facebook's breach of (more than) 50 million accounts, we're starting to get some explanations, and they are hair-raising. No group i...
Collapse
 
devmazee2057282 profile image
dewbiez

Facebook is really annoying. Someone should invent a social media with privacy into consideration. Not little nit-wit Facebook privacy.

Or maybe delete all social medias. And live on messengers instead? IDK.

Collapse
 
lethargilistic profile image
Michael MacTaggert

I think the opposite would be better for society, a social media site that functions as a journal and posts go public after 10 years or so. The problem with Facebook is that it erodes privacy and monetizes people's attention while running advertising that is designed to alter people's behavior, and that it fundamentally alters the incentives of networking to benefit itself, amd that it essentially locks away people's thoughts forever after they die because it replaces journals or correspondence. Something that doesn't do any of those things would be great, and I reject the idea that sites like Facebook or Twitter can't exist without VC and ads. Maybe they wouldn't make all the money in the world as they try to now, but that's not a reason to make the world worse.

Collapse
 
qm3ster profile image
Mihail Malo

I'm sure it's possible to attract enough (no-strings-attached) funding for development, but there are two real problems:
1) How to make the platform 10x more addictive so people are actually on it instead of facebook
2) Operational costs. It could be distributed if people still used good christian desktop PCs, but with most of the population being on their low-battery phones and expensive mobile connections? :(

Thread Thread
 
lethargilistic profile image
Michael MacTaggert

(I don't usually phrase comments this way, but I really just have such disparate thoughts on this. Sorry it's a little weird.)

1a) Much like the goal of outrunning a bear with a partner is not outrunning the bear, it's outrunning the partner, the goal of another social network is not (or should not) be to surpass Facebook. It is to become sustainable in proportion to their funds.
1b) I prefer not to intentionally design things to be addictive. That's abusive of people's trust.
2) We never talk about Facebook or Twitter abandoning targeted advertising, and I get why. They're so entrenched in those business models. However, if they were the ones to adopt more humane funding models, then they would still be the top dog in their corner of social media. Moreover, if the argument is that they would have to shut down if they don't sell people's data to advertisers--that ordinary users would not crowdsource money to keep it afloat--then, by their otherwise pseudo-capitalistic logic, doesn't that mean their users don't want them around enough and that they should go out of business? I don't think they would have to go out of business; they just wouldn't be able to generate as much revenue and would have to cut back staff/C-suite pay down to what they should have been in the first place, which is not a service problem. We could force the issue by banning targeted advertising, but I don't think that's likely to happen because of their incredible government lobbying.

Thread Thread
 
rhymes profile image
rhymes • Edited

However, if they were the ones to adopt more humane funding models, then they would still be the top dog in their corner of social media

Facebook is a public company. The goal of a public company is to maximise profit. There's no way they can leave this business model and not get sued by investors. They could change the business model by going private but then Facebook would need to buy back its stock shares, which is highly unlikely.

Musk wanted to take Tesla private last month, it would have cost 71 billion dollars at the time. Facebook is worth 474 billion dollars :-D

We could force the issue by banning targeted advertising, but I don't think that's likely to happen because of their incredible government lobbying.

Probably, but I think that the more privacy issues they have, the more likely they are going to regulate it.

Thread Thread
 
qm3ster profile image
Mihail Malo

1a) Social networks have incredibly strong network effects. Unless they are intentionally niche platforms and not general purpose communication tools, it's either all or nothing.
1b) If a private company could have a product that's addictive enough to get a market share, they could then go on to affect great positive change. It's possible to sugar coat our words and say things like "engaging", but at the end of the day we need to acknowledge that everything currently in use is winning because it is ridiculously addictive, and isn't just a "frictionless tool that allows us to fulfil our needs and then gets out of the way".
2) I am strongly opposed to any sort of government or regulation, practically and morally, I firmly believe that it is always infinitely harmful.

Thread Thread
 
rhymes profile image
rhymes

I am strongly opposed to any sort of government or regulation, practically and morally, I firmly believe that it is always infinitely harmful.

So, how do you protect users from a company worth half a trillion dollars that has no intention to put their users at the center?

"Just competing" is not enough. It's not impossible obviously, it might happen in the grand scheme of things that Facebook "fails" but companies have never been this rooted in the history of capitalism.

There have been companies before Google, Facebook, Amazon and so on that were worth more, but as far as I know there no companies with so much information about their "clients" have ever existed. Standard Oil was worth a trillion dollars at the beginning of the 20th century, but they definitely didn't know what Paul from Connecticut did during his work day :D And Standard Oil was broken up because of... monopoly.

You can't be totally against any sort of governement intervention, or regulation. Eventually we would have only one film studio (Disney?), one internet provider, one tech company, one this and one that...

As you say, and I agree, the straightforward way to end Facebook supremacy is to create a valid alternative not to destroy it with regulations but regulations are not there for Facebook, they are there to limit companies bad behaviors, which they still pursue even with regulation (like the fact that most of the tech companies pay little taxes by gaming the system, which I find more appalling than tracking their users in a way)

Thread Thread
 
lethargilistic profile image
Michael MacTaggert

It is not true that a public corporation's purpose is solely to make money. I'm on mobile right now, so I direct you to the links on the "shareholder value myth" in the RE:Open Source Has Not Failed article on my account. Investors do not own corporations, and thry cannot sue a corporation for not solely making decisions that maximize profits or shareholder value.

Thread Thread
 
rhymes profile image
rhymes

It is not true that a public corporation's purpose is solely to make money. I'm on mobile right now, so I direct you to the links on the "shareholder value myth" in the RE:Open Source Has Not Failed article on my account. Investors do not own corporations, and thry cannot sue a corporation for not solely making decisions that maximize profits or shareholder value.

Thanks for the suggestions! I watched Lynn Stout's two short explanations on the "shareholder value myth" and loved them :-) When she talks about the life expectancy of publicly listed companies I started thinking of all this startups that are thrown in stock exchange, like IPOing is the only way to go, but I guess they do that also because they took too much money from VCs in the first place. If you click around TechCrunch you see insane amount of money thrown at startups.

She makes a really good point, but it doesn't mean that everyone believes that. She's even challenged on this in the second video. "A system that's structurally designed" is how she calls it. I believed the myth as well and I don't own stocks :-) I'm quite sure most capitalists believe this myth too. The Starbucks guy confirms that indirectly. He talks about going into meeting talking about customers and people, and I'm sure that Facebook is the same, they truly think they are doing their best for their users and their mission, is this disconnect that makes them dangerous. After all, if you don't believe it truly you just go with the flow and end up being ineffective.

Going back to Facebook: Zuckerberg has 60% voting rights so I guess it's mostly up to him to decide in which direction the company goes. Which doesn't really make me think it's going to go in another direction for a while.

Thread Thread
 
qm3ster profile image
Mihail Malo

Honestly, I don't know of any monopolies that formed in spite, and not directly because, of government regulations. Sure, they occasionally plunder a big company to the applause of the population, but it's the regulation that prevents new players from entering the market.

The reason we like to complain about apparently or truly monopolous service providers is because their services are clearly of very poor quality, with ways of improving them obvious to most of us. Usually this also comes in combination with being overpriced.

So, surely such a terrible service is easy to challenge even without infrastructure and economy of scale? Not so fast, because of certification, regulation, and infrastructure planning, all of which are affordable to comply with/lobby for the big company, but prohibitive in cost and complexity to the new player.

So, there's always been churn in market leaders, and regulation only slows it down. What about the internet though? It may seem like the exponential network effects of the web may forever cement the lucky few. Well, the unregulated internet, combined with open source knowledge and scalable (to the low end as well) public cloud services means it's cheaper and easier than ever to get your idea online, where the established company has far less governmental means to interfere with you. That is, until something like GDPR comes along and makes the little guy easy pickings for a government foray.

Thread Thread
 
qm3ster profile image
Mihail Malo

@rhymes can you be more specific as to what the users need to be protected from? I don't see how these companies are agressing against anyone (violating anyone's rights), regardless of how much I disagree with their actions and policies.
I wouldn't call their software malicious, because it doesn't try to evade permission systems and AFAIK has not been proven to spy on anyone.
Could it be considered fraud? Also not really, since they don't make any false promises to the users.

No objection to making them fail as a result of educating users though, that seems like an unequivocally moral thing to do.

Thread Thread
 
rhymes profile image
rhymes

can you be more specific as to what the users need to be protected from?

Their privacy needs to be protected. Zuckerberg famously said (though he changed stance on that) he didn't believe much in online privacy. What instead I find more telling, and it's at the heart of FB, is that the genius of their business model is convincing people to volunteer so much information about them for free. Which is fine, there's nothing illegal about it. The issue though is what you do with their data and how data is then managed. Yes, exporting data from FB in a zip file is more or less useless, but I strongly believe in the right of an individual for oblivion, that's the part I like more about GDPR :)

Obviously nothing will change if people don't learn how to use the web better, but that's another story.

I wouldn't call their software malicious, because it doesn't try to evade permission systems

Failing to police hate speech qualify as malicious in my opinion: theguardian.com/world/2018/apr/03/...

and AFAIK has not been proven to spy on anyone

Well, it depends on the definition of spying. Can following and gathering user behavior on third party websites be counted of spying?

I'm not saying they are doing illegal things, I'm saying I don't like what they do.

Thread Thread
 
qm3ster profile image
Mihail Malo

Yes, exporting data from FB in a zip file is more or less useless

Exporting data from FB in a zip file is a godsend for moving to another network, I just wish it included more. I do understand that legally requiring this from every site is a huge burden though, so I wish it was voluntary.

I strongly believe in the right of an individual for oblivion

I totally don't. If you want to limit someone's rights regarding their own knowledge/data, you must enter into a binding contract with them prior to disclosing the information. This is how eg NDAs work. If you gladly provided the information yourself without being promised anything of the sort, you don't have any rights to it.

Obviously nothing will change if people don't learn how to use the web better, but that's another story.

I do think it's moving in that direction, and not in the opposite. It just doesn't always seem like it because of new users. But once there is worldwide coverage, that should stop.

Failing to police hate speech qualify as malicious

I was talking about malicious software in the usual sense, not anything like a malicious community or malicious platform.
I don't think Facebook can possibly be accused of too little censorship, most certainly on the contrary - censorship is their biggest sin.

Can following and gathering user behavior on third party websites be counted of spying?

This "following" requires the consent of your browser (representing your person) and the consent of the owners of the "third party websites" (which might not be informed, but it is their responsibility to consider what they deploy on their site).
I don't think Facebook can be demonized when you allow your browser to actively contact FB servers when encountering "third party" sites which instruct your browser to contact FB servers.

I'm saying I don't like what they do.

Neither do I, but "protecting" sounds like legal action, whereas the only moral recourse I see is education.

Thread Thread
 
rhymes profile image
rhymes

Exporting data from FB in a zip file is a godsend for moving to another network, I just wish it included more. I do understand that legally requiring this from every site is a huge burden though, so I wish it was voluntary.

In theory sure, but for the regular user is mostly useless, if not to rejoice at old memories. What are you going to do? Upload your Facebook zip to Twitter? Maybe with something like Tim Berners-Lee's new initiative Solid true portability will be achieved, but still, we're talking about portability between different social networks. My list of Facebook likes is useful only in the context of Facebook.

I totally don't. If you want to limit someone's rights regarding their own knowledge/data, you must enter into a binding contract with them prior to disclosing the information. This is how eg NDAs work. If you gladly provided the information yourself without being promised anything of the sort, you don't have any rights to it.

Well, we agree to disagree :-)

I don't think Facebook can possibly be accused of too little censorship, most certainly on the contrary - censorship is their biggest sin.

The thing is they censor whatever they want to censor, but again, it's a global private company and speech laws are different everywhere. Another issue here is abuse, which is the same thing Twitter users complain about.

This "following" requires the consent of your browser (representing your person) and the consent of the owners of the "third party websites" (which might not be informed, but it is their responsibility to consider what they deploy on their site). I don't think Facebook can be demonized when you allow your browser to actively contact FB servers when encountering "third party" sites which instruct your browser to contact FB servers.

You can't consent to something you don't know about. You realize that users aren't tech savvy like us, right? If I read your sentence up there to my non techie friends they will look at me like I'm from Mars. Yes, we all consent to the terms of condition without reading them and that's bad, but that doesn't mean the fact they put everything they want in the TOS is a good thing.

Neither do I, but "protecting" sounds like legal action, whereas the only moral recourse I see is education.

I think we need both. Look at food safety, would you prefer to live in a society where NO food safety laws existed and trust companies to have your best interest in mind and people to get informed about every single item of food they ingest before doing that? I definitely wouldn't, so I'm okay with the governements regulating what we eat. Are all regulations perfect? Not in the slightest, but most are better than nothing

Thread Thread
 
qm3ster profile image
Mihail Malo • Edited

Solid

Yeah, I'm totally pro-Solid. For years I've been inventing a Solid most days, sometimes a couple on a slow day. It's a very pragmatic approach to Web 3.0, without trying to shove a blockchain where it don't belong.
In the meantime, our "savior" social network can accept migrations from FB using these zips, using some data and keeping the rest around until it knows what to do with it. Can totally migrate to Solid or an alternative when it's available, and save on storage.

Well, we agree to disagree :-)

As often is the case, we can't really do that, can we? If we go along with the opinions of one of us, these companies will be forced to delete data they never promised to delete at gunpoint.
And if we go along with the opinions of the other, this data would be totally legal to keep, meaning the "right to oblivion" is being grossly violated.
In either case, one of us sees a crime (not a mere unpleasantry) being committed.

You realize that users aren't tech savvy like us, right?

"Oh no, I used a program without knowing the consequences. Someone please regulate something!" (No. You literally did this to yourself, the third party site owner didn't even record your actions and then donate them to Facebook (which in most situations would be totally legal), you did it.)

Would you prefer to live in a society where NO food safety laws existed?

Definitely. A stack of food producer + certification lab + shop is plenty for me. All I ever got from the government is rusty water, late disclosure of contaminations and infections "to not cause panic" and the legal recognition of ridiculous labels like "non-GMO" and "Organic" that allow selling objectively more dangerous foodstuffs at a higher markup. (More of that nice lobbying by entrenched companies.)

Thread Thread
 
rhymes profile image
rhymes

In either case, one of us sees a crime (not a mere unpleasantry) being committed.

I don't see it as a crime, I just hope people had a right to oblivion. Especially in a contest like Solid where you own your data :-)

"Oh no, I used a program without knowing the consequences. Someone please regulate something!"

Well, laws and rules also exist to protect people from their own bad judgement, it won't be the first time. Otherwise you wouldn't need moderation on social networks, because people are always the best version of themselves in any context, are they :D ?

Definitely. A stack of food producer + certification lab + shop is plenty for me. All I ever got from the government is rusty water, late disclosure of contaminations and infections "to not cause panic"

Tap water here in Milan is fine.

I don't know where you live on the planet but I'm glad in Europe we have stricter food laws then in the US for example. Don't tell me you've never heard of companies trying to sell severely expired or shit food to their customers. Your faith in the same companies that lobby for that ridicoulous "organic" label is weird to me.

Again, the regulations are not perfect but no regulations definitely wouldn't improve the quality of your food.

Thread Thread
 
qm3ster profile image
Mihail Malo

I don't see it as a crime, I just hope people had a right

Then we are using different definitions of "a right".
When I say "a right" I mean something we all guarantee to each other, a fundamental invariant, something violating which would threaten the fabric of our society so much that we often come to the defense of the rights of third parties without immediate self-interest at stake. Most fundamentally for me that is property rights, since most if not all other rights such as self-defense, freedom of speech, etc, can be derived from property rights.

"It's not going to be the first time there is legal overreach"

Yeah, we should be abolishing those, not piling more on.

no regulations definitely wouldn't improve the quality of your food

Less costly but insufficient/irrelevant regulations will both lower operational costs for existing companies, and allow more new companies to enter the market.
This provides me with more variety to choose from, so that I can benefit from the highest quality (in my own opinion) and reward the companies providing it to me.

This is exactly what I mean when I say that IT regulations such as GDPR reinforce the position of gigantic entrenched companies like Facebook, which are essentially integrated with the government at this point, and snuff out any potential competition to them. Also a link lol.

Thread Thread
 
rhymes profile image
rhymes

Then we are using different definitions of "a right".
When I say "a right" I mean something we all guarantee to each other, a fundamental invarian

I know what a right is, I'm not talking about basic or fundamental human rights or rights guaranteed by countries's constitutions. I'm just using the common name for that concept: Right to be forgotten. It shouldn't be called like that, but I didn't invent it.

"It's not going to be the first time there is legal overreach"
Yeah, we should be abolishing those, not piling more on.

Not sure where you got that quote from :D

Less costly but insufficient/irrelevant regulations will both lower operational costs for existing companies, and allow more new companies to enter the market.

As I said, I don't think the system is perfect, but I think totally zero regulations is not the way to go. Less regulations or better regulations is fine by me.

Thread Thread
 
qm3ster profile image
Mihail Malo • Edited

Gotcha. Can just never be sure, with demands for new real rights like "the right to have your demographic be represented in AAA media" and "the right to free healthcare" popping up almost every day.

protect people from their own bad judgement

Don't do dis. That's how you end up with criminalized prostitution, people smoking weed in their home incarcerated, and sweatshops closing down further reducing people's options to not starve.

I think totally zero regulations is not the way

We'll burn that bridge when we get to it. As long as we acknowledge the existing problem.

 
lethargilistic profile image
Michael MacTaggert

1a) I agree network effects are a consideration, but they are not the only consideration. It's definitely not all or nothing. Look at reddit, which organizes people into many fiefdoms each with their own network. Facebook's choice to be a global "community" 🤢 has proven itself resistant to moderation, but it's not the only viable model. I mean, look at how MySpace pivoting to musicians.
1b) If addictive tendencies are implicated by an app, then that's usually something to mitigate. The Time Well Spent group talks a lot about this and I'm pretty sure that kind of sentiment is behind all the app usagr tracking in new iPhones.
2) This kind of thinking descends from the idea of "freedom of contract", which was specifically created to justify actually, verifiably corrupt corporations and trusts manipulating markets and public opinion to suit laws to their own purpose. The reason they had to create a separate ideology for it is because regulation was working and they had to break up companies like Standard Oil. I suggest reading about the history of that phrase, and "We the Corporations" is a great book on that.

Collapse
 
rhymes profile image
rhymes • Edited

To be fair, Facebook operational costs must be astronomical. One of the few reasons to take VC money is to operate servers for billions of users. But yeah, there has to be an alternative path.

Thread Thread
 
gklijs profile image
Gerard Klijs

Maybe there should be a distributed platform. But keeping both privacy and distributed will be a big challenge, especially with photo's and videos..

Thread Thread
 
rhymes profile image
rhymes

Maybe something like Mastodon ?

Collapse
 
pojntfx profile image
Felicitas Pojtinger

Mastodon? Already has 2 Million + users, federated and is libre software!

Collapse
 
rrriki profile image
Ricardo Rincón

Forwarding a 'log me in' help link does seem like authorizing the recipient to log in to your account 🙄 the security step lies in receiving the link itself.

Collapse
 
lethargilistic profile image
Michael MacTaggert

Preventing users from taking actions that hurt themselves is also a part of security. If you can't think of a reasonable situation wherein a user would want to forward an automatic login, then why give them the option to shoot themselves in the foot and then blame them for firing?

Collapse
 
rrriki profile image
Ricardo Rincón

They aren't giving them that option. That is out of Facebook's scope. They sent a password recovery e-mail. If you received it and use your e-mail client to forward it to someone else and they get into your account, hey that's on you buddy.

Thread Thread
 
lethargilistic profile image
Michael MacTaggert • Edited

>They aren't giving them that option.
>If you [do that option], hey that's on you buddy.

That's a contradictory, unreasonably user-hostile perspective.

Collapse
 
devmazee2057282 profile image
dewbiez

Probably true since I never even heard of it. XD

Collapse
 
gryp17 profile image
Plamen Ivanov

A friend of mine reported a way to see the friends list of people that have hidden their friends list and facebook claimed that this wasn't a bug (but still fixed it a few months later) and did not give him any bounty either.

Collapse
 
rhymes profile image
rhymes

Tim Berners-Lee just announced a project to empower people with their own data: medium.com/@timberners_lee/one-sma...

Collapse
 
lethargilistic profile image
Michael MacTaggert

The home page shows the total number of hearts, unicorns, amd bookmarks.

Collapse
 
ben profile image
Ben Halpern
Collapse
 
peter profile image
Peter Kim Frank

My reply from Facebook, for what it's worth:

fb email

Collapse
 
bizzy237 profile image
Yury

that reminds me. few days ago we were revisiting some old bugs in our project and one of them was "looking at a picture logs me in as administrator"