Oh wow, this app got pulled from everything because it's an unofficial 3rd party client for Instagram? I'll say it again, companies should be legally forbidden from blocking 3rd party clients. They don't have to explicitly support them, but taking action to explicitly thwart them (and writing ToS that forbids them) should be outlawed. There's no reason I should have to be subjected to untold tracking, snooping and advertising functionality to be able to post or look at photos and comment on them. Tech companies get to exploit the public under the guise of something useful, while also getting to completely dictate the terms of that usage. The only thing that limits their exploitation of users is the laws applicable in the relevant jurisdictions (and sometimes not even that). Too bad looking out for the rights of users is apparently just a complete non-issue to anyone in power.
Why should 3rd parties be allowed to make unauthorized api requests?
Additionally, some apps are only monetized through advertisement, and 3rd party apps don't display them. How do you expect the 1st party to stay in business?
I don't align with Meta on a lot of issues, but they should be able to control what apps interact with their platform. Don't like it, don't use it.
The 3rd party is not making the API request though. I am, just using software that didn't come from the platform vendor.
Many 3rd party twitter clients have expressed a willingness to display ads if provided an API to do so.
As someone who has lost precious accessibility capabilities because of restrictions on 3rd party clients, I unfortunately have to point out that I don't really have a choice of what platforms I do or don't interact with in a lot of cases. I wouldn't stay at my job for very long if I didn't tolerate Slack's BS, for instance.
Let me offer you a question then: Do you know how much data the OG App is taking from you while you authorize it to work on your behalf? How do you know it's not reading through your entire message history? Or building its own network graph of your friends to sell? How about security? How do you know it's securely storing your credentials? Or that it's not selling said credentials as well?
Like in this scenario to Facebook it is in theory effectively you. Not the app operating on behalf of you with a limited set of permissions.
Yes, people can and will write malicious programs. Those will sometimes take the form of third party clients for a service. That is not and will never be a valid argument against them being allowed to exist. Monopolies are not ok. Abusive behavior by the dominant market players isn't ok.
Yes, but my point is that said clients should have to talk through properly secured APIs and required by law. Until then, an app like this is a massive, MASSIVE security risk and I would question the sanity of any team that saw something like this and ignored it.
> should have to talk through properly secured APIs
I don't follow what you mean by this. The API endpoints that a company provides ought to be secured properly. In practice they might or might not be but obviously they ought to be.
I don't see what that has to do with third party clients though. A third party client is stuck interacting with whatever API the company provides, however secure or insecure it might be.
I mean from another perspective this is effectively a MITM style way of interacting with Meta's API. They are behaving as another unauthorized layer between the user and Meta's API. In actual secure systems involving third party clients the client usually authorizes itself on behalf of some user requests or permissions, so while it does things for the user there's a clear and secure delegation of permissions.
Have you done much work with authorization? To put it in another way let's say there was a website that said it authorized with Steam. It asked you to put in your steam username and password. Is this secure?
Now let's say that same website instead redirected you back to Steam (properly) and requested authorization on behalf of you. Is this secure?
> To put it in another way let's say there was a website that said it authorized with Steam. It asked you to put in your steam username and password. Is this secure?
"Is this secure?" fully depends on what the attack vectors you're considering are. Breach of the server's database? Make it an app instead of a website and make requests directly. Malicious code in the client itself? Make it open source. Now it's even more secure than the official client.
But regardless of all of this, how is it any of the service provider' s business what I do with my login details? It's my data on my account. If I use it in an insecure fashion, that's my problem. I am free to post my login details on Twitter for everyone to see, so why can't I put them in a database on some russian dude's basement server?
Moreover, exactly how does said 3rd-party app differ from a web browser? Is it not a 3rd-party that has full access to login credentials, cookies, etc? Do they prohibit certain browsers from using their websites and APIs?
This might not be the response you expected, but the app is only a security risk because it's not open source, and you can't audit its changes when you install an update. :)
In this case the risk you take doesn't matter (though I argue from a security standpoint this is something you should really care about in any argument around Meta), it's the risk Meta takes by allowing it. Because if the company takes your data and runs, Meta is the one also on the hook for not securing their APIs. If it turns out they're farming passwords from users to sell to whatever group ultimately the class action lawsuit will come out with knives facing Meta.
Like this is a security problem, straight up. I would hope that you can agree on this and that not securing your API is bad.
What do you mean? On what planet is it a provider's fault if a third party farms logins through a custom client. It's not their fault if I get phished, if the little booklet I store my passwords in under my pillow gets stole, if my computer is infected with a RAT... so why would it be in this scenario?
I only got a few posts into the thread before Twitter booted me out for not having an account, so maybe there's some context I'm missing, but what kind of "not securing your API" are you talking about? The fact that a thir party, explicitly authorized the the user, was able to make actions on the user's behalf, doesn't make it secure, it makes it functional.
> Cambridge Analytica then arranged an informed consent process for research in which several hundred thousand Facebook users would agree to complete a survey for payment that was only for academic use.
> However, Facebook allowed this app not only to collect personal information from survey respondents but also from respondents’ Facebook friends.[13] In this way, Cambridge Analytica acquired data from millions of Facebook users
FB gave them data about friends, when it was supposed to only give them data about respondents. Totally different situation.
Yes, the reason this happened was that when a user authorized the Cambridge Analytica app, it would have the ability to view information about all of that user's friends. Sound familiar?
The fault was not in anything CA did, even though I think what they did was bad. The fault was in Facebook letting clients access more data than you authorized them to.
If I approve an access request for a low level engineer to get a single repo from github, and github lets them access every repo on our orgs account, that's a huge fuckup by github, not me.
No, not even remotely similar. A user authorized CA to see their data for the purpose of a research suvey. CA got more data than the user thought they were giving them. With a custom client, the user is giving the client their account for the purpose of accessing all of Facebook through it. The client is getting exactly what the user is giving them and it makes perfect sense that it needs it.
By this logic, it should be illegal / a breach of contract for you to run an ad blocker, since the company may not make money? Should you also be forced to look at ads and not switch channels while they're on TV, with the channel being free to cut access if they find you haven been looking at the ads they serve?
This logic really bends over backwards to support FB's and similar business models.
Rather than just blocking the request for the ad, if an ad blocker allowed the requesting site to make the request for the ad but then just sent the data to the browser's equivalent of /dev/null, I'd be fine with that as long as I never had to see/hear the ad.
This is of course ripe for abuse, but that's just synonymous for digital advertising in general. I don't consider it any different than me hitting mute on the TV during ad breaks or getting up and going to another room during that break.
If you don't think sites have a fundamental right to push ads to sustain themselves (as I don't), then blocking the request is the best place to do it for performance reasons.
But even if you do believe in that right - the site and advertiser care about a single thing: a human being seeing the ad. Serving the Ad request is not just useless for their purpose, it is actively costing them money, and potentially muddling their data.
Doing that is borderline fraud - I believe that GP meant to highlight this. If it gets counted as actual clicks, it's actually explicitly defrauding the advertiser.
Most people sometimes leave the room while ads play on TV. The advertisers know that and work the percentage of pepole that do that into their pricing, etc.
Also, non-organic click fraud is rampant already (and maybe even the majority of clicks). /dev/null + click would at least route ad income to reputable sites that at least have some human readers to view future ad impressions.
There is a difference between you ignoring ads as a user, or an adblock tool removing the ads entirely, and a tool that explicitly tries to make it look as if the user is interacting with the ads. The last tool is actively malicious and deceptive in a way the others are not.
I never meant to imply clicking the ads in order to get fake clicks. What I meant was for any ads posters/videos that are loaded during page load to go ahead and load them BUT don't display them. This gives the website the impression count, but no fraudulent click throughs. This was how I was equating it to walking out of the room during broadcast commercial breaks.
Yes, if a website clearly stated that by accessing the content of the webpage you agree to not use an adblocker while doing so, that could well be legal depending on the circumstances. Enforcing it would of course be difficult.
If you found out Netflix actually streams their content from a public endpoint. You would not be legally allowed to take advantage of that.
No one should be able to control what apps interact with their platform. Companies should have exactly zero control over how people interact with endpoints they open to the internet and it should be illegal and unenforceable to try to create any contractual obligations about how someone interacts with your APIs.
Cheers, I have never before heard anyone else say these points I've been arguing (without me saying it first, at least). I feel a real sense of relief not being the only person "in the room" to say this, for once.
I don’t see any reason that fair use limits or blocking interactions that behave like attacks should be incompatible with allowing and not penalising the use of third party clients.
I want to preface this with that I agree with your point that DOS is abuse and not actually trying to use the platform.
I disagree with calling the question ridiculous. If we’re involving legality like the poster up thread implied with making this illegal then there needs to be some sort of test or rule put in place on what constitutes illegal activity. We currently don’t have one and whenever a new rule is put in place you quickly find out that there is a significant chunk of people who would find anything you think is obviously wrong to be obviously right and vice versa
And using their servers and resources without generating them any revenue is not abuse? They clearly don’t want you to run a third party app without ads, yet you feel entitled to it?
No, it's not. In this case, abuse is about intent: DOS intends to cause distress, losses and denial of service to others. Use with third party apps without adds intends none of this: the intent is to use something else to access the service in an otherwise normal (to the user) way.
Arguably third-party apps that are scrapers are somewhere in between these two in acceptability, but that's a question of "are scrapers morally fine and should they be legally allowed", not a question of whether third party clients are to be allowed at all.
If I access your API I’m using your server because you offer it publicly. That is not abuse.
The distinction is about whether you should be able to offer something publicly, taking advantage of public infrastructure to do so, and then make demands about what the public do with that.
Companies want to do the electronic equivalent of putting copyrighted media on a billboard in a public square then claiming you need to sign a contract to look at it and then only through special glasses they provide.
I think I should have the legal right to access private messages addressed to me by family members via the service explicitly designed to facilitate private communication between friends and family members. I don't think I should be forced to see advertisements and be subjected to historically-unprecedented surveillance to read those couple hundred bytes of text from a family member.
When a platform's primary purpose is communication, certain legal rights should be invoked immediately. In my opinion, one of those rights should be the ability to access those communications by any 3rd party client that doesn't intentionally function maliciously. How "proper 3rd-party client behaviour" is evaluated can be a problem for the industry to solve. They have the $trillions to figure something out. I think they'll survive.
The argument "don't like it, don't use it" isn't a very reasonable argument when, socially speaking, you "have" to use a given service (usually the regionally-omnipresent service) to be included in society. Communication is the foundation of society and of human existence. I miss out on a shocking and honestly depressing amount of social activity because of my boycotting of FB, IG, WhatsApp and other similar services.
I expect that our ability to communicate is carefully protected and treated as something crucially important. There's a reason there are SO MANY commercial services around communication and they are largely the most lucrative, because everyone NEEDS to communicate. People will subject themselves to extremely disadvantageous conditions to enable communication with others. Think about it. Facebook, Twitter, Instagram, TikTok, the internet, cellular phone service. These things are fundamental to communication in global society, and a TON of laws are written to govern their employment/usage. Internet communication just happens to still be pretty early in the stages of its effect on humanity, and as usual the legal world is well behind what those effects are. The effects are finally being felt. I believe my feelings on this subject will become more widespread as people realize how deeply they have been exploited by industry (once again).
I disagree. No one has the right to use facebook/twitter/etc as they wish, or even at all. They're not necessary for modern western society. SMS and phone calls are always an option. We aren't like China where if you don't have WeChat you can't do anything.
On the flip side, then, no government organizations should use Twitter as their primary form of disseminating information. I should be able to get this information without creating an account on these platforms (looking at you, MBTA).
Yeah, I totally believe this -- no government organization should be allowed to post public announcements/information to a proprietary platform gated behind a ToS without also posting that information on publicly-accessible unencumbered locations like a basic, low-resource-usage website.
The forces at play when it comes to communication platforms are not so black and white. I didn't say that I expect to have the inalienable right to use the service. I just expect to have the right to use the service without especially onerous "cost" to me (such as being subjected to privacy-invading surveillance/tracking technology and advertising). If someone goes on there and spouts walls of swearing and racist memes or whatever, yeah, banned.
And, actually, have you tried just not using Facebook for a year? Don't even log in whatsoever? Try it, seriously. I have missed parties, concerts, family gatherings (seriously), news of births, marriages, new homes, major life events (including deaths). I found out my cousin had a kid like 6 months later. I found out a friend died months after it happened. I miss out on the opportunity to partake in things that would have greatly enriched my life. This is the cost to me, personally, by opting out of THE platform that EVERYONE uses. I can't just constantly SMS and call everyone I know asking them every detail of their life, because they exclusively share it all on Facebook. You simply cannot invalidate this very real cost as "yeah well, just use something else".
These huge costs of exclusion are exactly why I believe that I should have the right to access de-facto-standard communication services with software that respects my psychological stability, privacy, accessibility needs (including cognitive), of my choice -- again, as long as that software conforms with proper API usage behaviour. Right now, I'm in a pretty coercive position where I either subject to the objectively-harmful design of the Facebook platform, or face pretty adverse effects to my socialization. That's one reason case where governments enact laws, to protect individuals from these sort of extremely skewed power imbalances.
BTW, I get what you're saying. All these services are tecnically optional. I kinda used to feel that way, until I actually started not using the services that I felt were manipulating and coercing me. Then I realized just how much power these services have over us. I realized these services are optional in just the same way as the telephone and the automobile used to be. Totally still optional. Just mail a letter instead. To me it's like, at this point, as a society, we need to decide whether we care if someone can be seriously cut off from modern society because they don't agree to have advertising shoved in their face, manipulative "algorithmic feeds" selectively shown to them to "drive engagement", and unprecedented surveillance cataloguing their every action 24/7/365.
Probably because literally every single friend and family member of mine is on there and sharing their entire life there (and messaging me) and I can't take part in that. I said in another comment that once a platform provides that degree of communication, certain rights to protect the users should be applicable, to ensure we are able to participate in society without onerous cost to our mental health, dignity or privacy.
If shops don’t like shoplifters, they should stop putting products on shelves where anybody can just take them and walk out - it’s dumb to get the police involved to keep sustaining this obviously-flawed business model.
Stores DO lock stuff up. Nevermind that shoplifting is barely even a concern for most large stores, as they lose significantly more to other means of "shrink"
Why are first parties serving unauthorized API requests? If the API request is unauthorized, surely the proper response is "401 Unauthorized" and not "all the data you asked for, but then I'll find the people who helped you and get mad at them"?
The problem here is that Meta wants to plug things into the internet and then control who gets to ask for those things. This is not how the internet works, at all. If you don't want third parties accessing your APIs, lock them down.
I'm willing to bet the instagram app already signs their api requests to make sure they're coming from the app. Third party apps are reverse engineering that. If you try to send a request without those headers, it'll very likely give you a 4xx code.
You can reverse engineer it all you want, the issue is when you publish something that interacts with a remote resource in a way that the owner of that resource did not allow you to.
While I mostly agree with you, banning the personal accounts from their *team* is a bit much. Specially considering how that also includes access to Instagram, and WhatsApp, WhatsApp being the biggest issue here since in many countries that is considered a way of conducting business.
By that logic, every employee of Apple/Google/Meta or at least the ones working on related projects should be handled a fine every time Apple/Google/Meta gets fined by the EU for breaking the law/abusing its position? The are violating the law after all.
You can put whatever you want in a contract, and the other party can sign it, but that is not enough for it to be valid. Contract law usually has call outs against obviously absurd, overreaching, or "I own everything and anything" clauses
> WhatsApp being the biggest issue here since in many countries that is considered a way of conducting business.
Absolutely the best reason why businesses should move to Signal. Imagine if your business gets cut off from Meta products, or if at any moment some of your customers get cut off.
Facebook is an extremely limited and poor platform for representing a business, and it too should be avoided for the same reasons (and for being such a garbage fire in general).
Why shouldn't I be able to uae the software of my choosing? If i habe an account and have properly authenticated, the client I use is my choice.
You can't reasonably make the "go elsewhere" argument with the monopoly hold FB has on much social data. We need to choose yo regulate them and others to force interoperability, or at the very least allow comcom explicitly (competitive compatibility).
Because your access to their API is conditioned on an agreement not to use unauthorized clients. You are free to use the software of your choosing in conjunction with your own computers, but not necessarily with everybody else's.
What's an unauthorized device? If I fork chromium and make my own browser what makes it authorized or unauthorized? If I make a CURL request from my terminal is that authorized or unauthorized?
If FB blocked any requests from Firefox Focus they'd likely be in hot water from government agencies.
This kinda is how freedom works though. You're free to use whatever client you want, and Meta is free to implement API in a way that will not allow your client to call it.
So I should be able to steal from my neighbor because that's true freedom? Because you're using their resources and servers in a way they didn't authorize.
They don't though. They're giving the data to the original client, not to the third party one. They're free to choose who they're giving the data to and you accept those conditions by using their product.
They gave you the data conditioned on an agreement not to use unauthorized clients, the same way any number of real-world businesses "give" you things subject to conditions, like the waffle maker in the hotel lobby which requires you to stay there overnight to use it.
What if your neighbor lends you a book, subject to the condition that you only read it to your sons, not your daughters? Are you stealing if you read it to your daughters anyway?
I think the perspective here is a very interesting one. Typically, such transactions are seen as between a user and a service provider. There is an agreed-upon protocol, and so long as everyone sticks to the agreed-upon protocol, the exchange can be successful: this is the basis of Email, the Web, etc.
Taking aside advertisement for a moment, what you're suggesting is that the level of control should go as far as which clients are allowed to speak a given protocol. This would be similar to the landline system during the monopoly days, where you were only allowed to connect an officially-approved phone (with a correspondingly high ongoing rental cost) to the copper lines.
From my perspective, there is no 3rd party involved here: there is an API surface which is developed and supported, and there is a client/customer who is interacting with the service through that API. Advertising either needs to be implemented into the API (good luck--see the demise of RSS), or the 1st party needs another business model.
> Additionally, some apps are only monetized through advertisement, and 3rd party apps don't display them. How do you expect the 1st party to stay in business?
Ad blockers are already a thing. Should they be forbidden?
My position is that if a website uses anti-adblock and you're using an adblock, circumventing it isn't okay. You're free to use a different website.
Now, one could argue that by displaying ads in the first place, using an adblock is circumventing something therefore it isn't okay (basically remove one layer of abstraction from the previous sentence). That's also a fair position, but not mine because of entirely selfish reasons (it's inconvenient to me and non-adblock users are subsidizing my use of those websites).
One could argue that allowing adblock users is a strategic decision in hopes they can spread the use of the website and payoff their "debt" that way. I operate web games and I allow adblock users for that reason.
> That's also a fair position, but not mine because of entirely selfish reasons (it's inconvenient to me and non-adblock users are subsidizing my use of those websites).
That's fair - you are knowingly subsidising adblock users. If you don't want to subsidise adblock users, you're free to use a different site.
I don't think there should be "freedom of business model". We aren't obliged to respect and comply with your choice of way of getting rich. If your business model is dependent on people looking at you in the "right" way then tough luck.
I don't think there should be "freedom to use my stuff but my ignore rules" model - if a person (ot a company) is providing a service, they should be able to do it the way they like. Don't like the rules? Don't use the service.
It there was fraud invoved, one party may get damage/compensation.. But forcing someone to provide service is just not right.
(With the exception of monopolies of course. Let's regulate them.)
Should your power company be able to impose a rule on you that you must not plug any Samsung-branded appliances into any outlets in your house? Re your "monopolies" parenthetical, what if you live somewhere where you can pick what company generates your power? Would this be okay in those places?
Nobody has a monopoly on power generation, $30k can get you a self sufficient solar setup so obviously power companies should be allowed to create whatever conditions they want...... /s
Exactly - until legal action happened. I think internet user rights have a LONG way to go, and I can only pray that stuff like "forced to look at insipid, manipulative advertising so you can continue to talk to your family" may indeed become a thing of the past.
I currently have an Inbox of multiple messages from family members awaiting me, except I refuse to log into Facebook to view them. The only remaining notification email I have left enabled for Facebook is exactly that -- private messages. This way I can contact the relevant person elsewhere and ask them what the message was. This is the kind of "bending over backwards" I have to do to avoid the surveillance-capitalism crap I'm coerced towards by these platforms that can do essentially whatever they want AND demand exactly how we are _allowed_ to interact with them. Why can't I use an unofficial Facebook Messenger client and read the <100 bytes of communication my family member wanted to send me? Ahh yes I have to agree to a hundred-page ToS and subject myself to ads and privacy-invading user tracking to see those few bytes. This is fine.
That's exactly what phone companies used to do, and they only stopped when the government made them stop. It was more profitable for them, at our expense.
AFAIK you've always been able to bring your own phone. They just wouldn't unlock your subsidized phone after the contract ended (which I find unfair, but it's in the contract people signed, so...). Regardless, I think this line of thought is becoming too off-topic.
Why should the first party be serving content to people using third party apps that generate them no revenue? Just like websites are free to block adblock users, app apis should be free to block third party app users.
They do. Many of them expect Chrome. While Safari and Firefox are now much better supported than years past due to most sites complying with web standards, I still see some annoying incompatibilities here and there with older finance websites. I didn’t like it, so I switched to a larger bank. Your argument would have more teeth if meta had a monopoly. It doesn’t
I don't think the same set of interests are in play there. Phone companies have a government granted monopoly on things like wireless spectrum and public rights-of-way for wiring and other infrastructure, not to mention subsidies and tax breaks.
I can't come up with a good justification why a private company on the Internet cannot dictate how you interact with them. Facebook isn't infrastructure.
Rules about things like DRM already have carve outs for "interoperability". A big example is back in the 90s, EA didn't like the rules Sega made for putting games on the MegaDrive/Genesis, so they did some reverse engineering work and made their own cartridges that worked great. Sega took them to court and got smacked down pretty hard, basically invalidating their entire anti-copy strategy.
We should push for MORE of the above, not less. We should push for laws that HELP people use the things they have, instead of locking them out of their own property. If Facebook doesn't like people trying to access their own content, Facebook shouldn't have built a business on everyone else's content. Nobody forced them to do that.
EA making games for MegaDrive/Genesis doesn’t cost Sega any money. You using the api without ever seeing any ads will actively cost Meta money. Not the same thing.
I agree that it's not the same thing, and I don't know offhand about the MegaDrive/Genesis in particular, but game consoles have often been sold at a loss with profit made on sale of games. If that was true for Sega at the time, anyone EA making games that motivate sales of Sega consoles but no purchase of Sega (or Sega-licensed) games would absolutely be costing Sega money.
I make no particular comment, here, on whether we should be defending that business model.
"How do you expect the 1st party to stay in business?"
Here is a different way to look at what is going on lately in the short history of the internetowrked computer. To me, there is no legitimate "business". Meta cannot charge IG users a fee. They will not pay. If they would pay, then why not charge them. Instead Meta exploits IG visitors by spying on them. Advertisers will pay. Third parties will be interested in the data Meta collects. What Meta is doing with FB, IG or WhatsApp is not legit "business" IMHO, because, IMO, a business generally produces something of value that people pay for. Generally, Meta does not do that.
Newspapers sold advertising, but people were willing to pay for newspapers. Because newpapers produced something of value. They employed people to produce a product that people paid for: journalism.
Meta does not employ people to produce something of value that people will pay for. The content on these apps comes from the people who use them, and from journalists emplyed by newspapers, but not Meta. Meta make people the product, access to and data on which they sell to paying customers. Websites and apps are not "products". In this "business" the people who use them, their behaviour and the details of their lives, are the product.
A kid's lemonade stand looks more legit as "business" to me than a "tech" company producing so-called "products" that are given away for free, as bait. These are not the product that customers pay for, that no one likes to talk about.
Billboards owners sell advertising. They own or lease real estate with high visibility to traffic. It is difficult to avoid billboards because we generally use the same paths to travel in physical space. As such, billboards are regulated. Not everyone with land adjacent to high traffic routes can erect billboards. See, e.g., Highway Beautification Act of 1965.
Perhaps Meta is like a billboard company in a world that has yet to regulate billboards. IMO, Meta is far more of a hazard to life than a billboard is to the beauty of a highway. Meta does more than display advertising to people who use their websites and apps. Meta's "business model" is a threatening the stability of society. If it is allowed to continue, it should be heavily regulated.
Imagine someone telling you, "If you don't like the billboards, don't look at them." Or "If you don't like the billboards, don't use the highway." It is not so simple. Now imagine Meta tells you, "If you don;t look at the billboards, you cannot use the highway".
Meta is obscuring the true potential of the internet. It has given the internet a bad rap. Meta is not the internet nor its potential to improve people's lives anymore than billboards are the scenery. If left unregulated, billboards can obscure the scenery and eventually they can destroy it.
If you want to use their apps so badly to connect with friends and family, it seems like they’re providing you with legitimate value. Your payment is being exposed to their ads. This is a legitimate business.
Billboards are regulated because they’re inevitable. You’ll see them just walking around. On the other hand, no one is forcing you to use Facebook nor Instagram.
Every time this kind of thing happens I just remember how much bigger Twitter got with the help of third-party clients, and then implemented terrible login token limits to prevent any from becoming as good as their own offerings once traction picked up.
Yup! As a Twitter user since 2007 I've watched as 3rd party clients were superior by far (TweetDeck was still my favorite), and have now been left in the dust as Twitter leaves them for dead by cutting off API features to them. Twitter itself has never made a client as good as TweetDeck or TweetBot, and invariably never will.
Ok, that’s fair, but how should the platform be compensated for the resources expended by the users or developers in question?
Would you be ok with a usage plan? Something like $1 per 10,000 tweets read? I mean, the developer could save money by caching the most popular tweets and serving them from their cache, I imagine they’d have to charge for that infrastructure though and somehow they would pass the costs into the user. Maybe the could offer a monthly plan, with some kind of fixed cost that would keep most users fed with tweets while also not making uses worry about usage based billing.
Maybe Twitter/Insta/whatever could just require you to have a paid plan to use 3rd party clients?
Sure, that's fine by me. Or even "video content is restricted to 240p unless you have a paid subscription, then you can see videos in 1080p". Right? It's 1000% possible to come up with totally fair business models that aren't so blatantly exploitative. Right now "the user is the product" on ANY free service.
Previously there was App.net, which was effectively "Twitter but you pay for access". It had a free tier which had very reasonable limits. It was actually super awesome, and it actually provided a whole identity platform, enabling 3rd party applications of different kinds (for example an Instagram-like, Favd[0]). Unfortunately it didn't pan out, not sure the whole backstory, but it was a really amazing platform and I would love to see more internet services like that.
That would be awesome. Right now, you usually get an even less favorable choice than that! For example with Spotify, you either use their app and see ads, or you pay and don't see ads, but still are forced to use their app.
That is probably a licensing requirement for the providers of the music. They likely require some form of DRM in their agreement with Spotify.
If anyone could make an App, how would Spotify be able to properly track song plays and whatever else they need in order to pay the rights holders?
Plus, someone would end up creating a 3rd party client that silently plays some song, unbeknownst to the user, in order to rack up plays and earn more money.
> companies should be legally forbidden from blocking 3rd party clients
While, in cases like this, I agree with you, I think there needs to be nuance to a rule like this.
Consider what would happen in the reverse case. A competitor arises to some aspect of Facebook's services—say, an app that does something kinda like Instagram, but not quite—and becomes somewhat popular.
Facebook adds support for accessing this competitor's service from their own app—look how convenient! You don't need to download two apps, just our app!
They replace the ads from the service maker with their own, thus starving them of revenue...or they just wait until some critical mass of users access the other service through their app, then offer free and easy migration from the other service to their own. Then they start introducing UX problems with the other service—oh, but it's not their fault. It's because of changes to the API or ToS of the other app!
In short, if this sort of thing is mandated universally, it simply tips the scales back in favor of the behemoths already ruling the roost, who can afford to build support for a dozen competing apps right into their own, and use the good old Embrace, Extend, Extinguish (or any similar playbook) to make sure the competitors die of asphyxiation.
If you've ever worked on an online service, you might realize that what you ship for the client is almost irrelevant -- it can all be reverse engineered and an unofficial client can _always_ be created. This happens for all online services, even if it's just someone's data-mining app running on a local machine. The number one rule is "never trust what comes from the client", because it's trivial to create carefully-crafted network calls to basically do whatever the API allows (and sometimes more than what was supposed to be allowed).
So, obviously 3rd party clients are thus able to perform malicious acts, but existing laws already forbid this.
My suggestion to ensure 3rd party clients are always legally permitted isn't mutually exclusive with existing laws protecting the creators of services and software. :)
I haven't read it thoroughly, but given the App Attest service runs on the OS, why can't someone just find the certificate for it hidden somewhere and use that to sign fake attests in userland? This is just an extra layer of obfuscation. It doesn't prevent someone from faking api calls with no app (or phone) involved.
Given that this only runs on certain Apple hardware, I wouldn’t be surprised if the Secure Enclave holds that certificate and can confirm at an extremely low level that it is being used only to sign a hash of of the app code itself and a shared secret with the app developer.
Brilliant, in a scary way. In a way it makes data portability regulations all the more important.
It generates a public-private key pair that is stored in the secure enclave, then it sends that public key (or the hash maybe) to Apple for them to sign. The rest of the stuff is as you expect.
One could simply figure out how the request to apple is made to get them to sign a key, and that's that. Get them to sign a key and pretend to be the app from now on.
I guess this prevents spam from someone signing thousands of keys using a specific phone's serial number, though. Assuming there's an unique public-private key for each phone apple makes, one can't simply get them to sign keys with random serial numbers.
The way these schemes usually work is that the pairing is done at the factory. Apple switch the iPhone on for the first time as it's being made, it generates a private key that never leaves the secure chip and then presents the public key. The public key is then signed to create a certificate chain and the certs handed back to the device for storage.
So, there's no way to beat it except by extracting a private key, or by using some software exploit to confuse it into signing the wrong thing.
You don't need to extract the private key though, just use it to sign things. So if you have shell access on the phone, you can tell the SE to sign the request you want.
Only to some extent. Apple work very hard to prevent that from being possible, and it's not necessarily signing just anything the app processor sends. Usually this stuff is integrated with the bootup process.
It isn't true for iOS devices, perhaps. I refuse to run an OS that supports such nonsense. Right now a custom Android rom is sufficient. In the future I expect I'll be moving to one of the Linux distros once they have better support for mobile.
"Never trust the client" is true, but in practice, some control over the client still helps reduce abuse if you make third party clients a lot harder (eg remote attestation.)
back when MechWarrior Online was still pretty new, I reversed the login app (100% .Net, very little obfuscation) which allowed me to access test servers that were testing an unreleased map. Fun times
This seems a bit unrelated but I'll chime in with my opinion.
Unfortunately for some types of games (first person shooters), a modified client can be game ruining for other players. For me, as long as it's only running while the client is running, and doesn't send private data remotely, I'm okay with it.
At least on Windows there's not much difference in terms of privacy of something running in the kernel vs userland in the same user as your important documents. It can read your entire filesystem and attach to running apps anyway without needing kernel access. So the "in your OS kernel" part is only concerning if their anti-cheat is coded poorly enough to cause a BSoD.
It prevents the more amateurish cheats, which by itself reduces cheating in the community by a lot. Obviously in these kind of games, active policing is the only way to find the most sophisticated cheaters. But the anti-cheat does help.
Well, if valid uses for clients are outlawed then the only people buying clients will be the ones trying to abuse the system. So really all the policy does is change the market.
> Meta isn't some utility people can't live without.
This is not true for large parts of society.
There are many institutions which force you to communicate via facebook, so not having access to it means you're locked out of parts of your real life.
This is horribly wrong by those institutions, of course, but here we are. It should be illegal, but isn't yet.
Ask them to use something else, or get an exception by explaining that you were banned. It isn’t endemic and there are always options. After the Cambridge analytica scandal, Facebook no longer has unbreakable mindshare. This is especially true the younger the generation
>Ask them to use something else, or get an exception by explaining that you were banned. It isn’t endemic and there are always options
Good luck if it's a business or public org. Why change their process for what amounts to a minority of customers? It's not worth the cost. Whether these people can't do business with them despite these services being essential to everyday life... well tough luck for them I guess?
Own example: in $COUNTRY almost all banks use either their app or Viber to send 2FA. I refuse to use Viber out of principle, and also their app refuses to work on phones that don't use Google services.
Should I be locked out of my banking because of me refusing to support the practices of other, unrelated services that happen to be 'popular'? Note that there is no other way to get the codes - other banks may use SMS but that is expected to be sunset next year and they will switch to the same methods.
IMHO it's disingenuous to say that there are options, when most of the time there aren't any.
It’s not as endemic as you make it out to be or there would be a public outcry.
Banking and social media are also two very different industries. One is essential while the other is mainly bread and circus with a myriad of alternatives
> It’s not as endemic as you make it out to be or there would be a public outcry.
It's a matter of time. Even if it's not endemic in the US (which I severely doubt) it's endemic elsewhere. Don't underestimate the public's ability to put up with things, especially if they are mostly kept in the dark about the most sinister effects.
> Banking and social media are also two very different industries. One is essential while the other is mainly bread and circus with a myriad of alternatives
Both are essential. Social media is what you make of it. It can be bread and circus, yes, but it is also an invaluable tool for communication. Losing access to them can stifle your communication efforts by a lot. Why, you may ask? Because network effect is in full swing: "Phone call? Who still does that? Just use messenger like a normal person". No one's gonna bother to call you or SMS you cause 1) you're not on messenger or whatever app they use and 2) can't be bothered to contact you at your preferred non-app way, when the whole friend group has a group chat from which every single interaction and update is broadcasted to everyone. In the end, keeping you in the loop is too much work, and then you start missing out on outings etc. And even if you somehow persuaded all of your friends to use alternative methods of communication, 99.999% of the planet just can't be bothered, especially when they have friends that are reachable over 5-6 different apps, one on each friend.
Facebook’s brand has been all but destroyed. The Quest 2 is prime evidence for that. It’s an amazing device at an amazing price that didn’t have as many adopters due to meta’s past reputation.
Social networks are not an essential service. There are other social networks and there are other forms of communication including SMS which is standard on all phones. If you’re not willing to pay for a better service like iMessage instead of an ad supported one, that is your problem
Doesn't meta have an obligation to product users that do want to use their product? This is like saying people should be free to pee wherever they want, if you're worried about the smell, don't walk there.
Actually, the pee analogy fits better with your argument. You’re arguing that people can siphon electricity and use meta’s servers without paying (via ads).
As I’ve already mentioned, meta isn’t a utility that people can’t live without like a phone. If they don’t like it, they should use something else. There are many alternatives
Nonsense, it’s a private company, they can allow or not any access to their platform. I’m not a fan of Facebook in any way, but they have the right to do this, and ban users for their own reasons. Don’t like their policies? Don’t use the service, I don’t.
> There's no reason I should have to be subjected to untold tracking, snooping and advertising functionality to be able to post or look at photos and comment on them.
Of course they should be able to block 3d party clients. Just because it's technically possible to hijack an API, doesn't mean it's legal or ethical. If you don't want to be tracked, don't use Instagram.
However, Meta blocking the developers fb accounts is basically harassment. Let the courts sort it out if their app is illegal. Meta shouldn't take things into their own hands.
>Of course they should be able to block 3d party clients. Just because it's technically possible to hijack an API, doesn't mean it's legal or ethical. If you don't want to be tracked, don't use Instagram.
This is the bit that's confusing to me.
If I want to access my FB/IG/whatever content, and present my credentials to the server along with a valid request for my data, why should Meta care how I do so?
I could be using nc[0] piped through openssl, rather than a web browser (do you believe Meta can mandate which browser you use and/or what add-ons/extensions it runs?). Is that "hijacking" the API?
If the answer to that question is "no," then shouldn't I be able to write my own client, to access my data, too? If you think I should, then how are either of those (nc, write my own client) really different from using software written by someone that's not me or Meta, as long as I (providing authentication/authorization for my own access) use it to access my own data?
The data served via the API is ultimately what's displayed on the screen of the official client - if they're displaying it to you, they're happy for you to be seeing it and it shouldn't matter whether you're seeing it in the official client or third-party.
That's not how it works. If a badly configured NSA server displays confidential data on your screen, you're still a criminal if you make use of that to access data.
> it shouldn't matter
According to? That's an ethical stance one can take, but it isn't how our laws work.
>According to? That's an ethical stance one can take, but it isn't how our laws work.
What law? Please be specific here as I'm not clear what you're getting at.
If you're referring the Computer Fraud and Abuse Act (CFAA)[0], it states:
The law prohibits accessing a computer without authorization, or
in excess of authorization.
WRT NSA servers, accessing classified information (assuming you don't have clearance and/or a need for that information) would violate the CFAA and possibly the Espionage Act[1].
However, in this particular case, an end user is accessing data (with appropriate credentials that have access to no more and no less than the data they are authorized to access) for which they have appropriate authorization. As such, it can't be a violation of the CFAA. So, where's the "crime" here?
I'm not sure how you're getting from point A to point B here. If you could help me out, I'd appreciate it.
> If a badly configured NSA server displays confidential data on your screen, you're still a criminal if you make use of that to access data.
If a badly configured NSA server gives you data, intentionally accessing it (and/or then misusing the data) would be the crime. I don't think it matters whether you view that data in a browser, a terminal or some third-party client.
Here, the third-party client is accessing the exact same data the official client is. It's not bypassing any access control, in fact it needs your credentials to be able to access the data you're authorized to view.
> According to? That's an ethical stance one can take, but it isn't how our laws work.
I'm not even sure if a law has been broken here? Breach of ToS != crime. As far as I know there is no unauthorized access taking place - the unofficial client is using your credentials to legitimately access the same API as the official one does; it's not giving you any extra data that the official client doesn't.
Of course it wouldn't be a breach if the data just popped up on your screen without you actively trying to access it.
But if you, knowingly, access material you shouldn't have access to, it could be a breach of ToS.
> Breach of ToS != crime.
Breaching a contract is not generally a crime either. But it might lead to a civil case.
>The data server via API isn't yours, that's FB's data. You can download YOUR data via a page on the FB site.
Just to clarify, that means your answer to the question:
I could be using nc[0] piped through openssl, rather than a web
browser (do you believe Meta can mandate which browser you use
and/or what add-ons/extensions it runs?). Is that "hijacking" the
API?
Would be "yes." Is that correct?
If so, please consider what that means for your property rights.
Devil's advocate: you see a ToS when using service for the first time. If that ToS is not illegal in your jurisdiction - you may either accept it, or abstain from using the service. How are you eligible to use any service beyond their ToS? It's like a private club: adher to the rules or go find another club. Or, even better, open your own.
I agree with you wholeheartedly. However I can't resist shilling self hosted alternatives here.
> There's no reason I should have to be subjected to untold tracking, snooping and advertising functionality to be able to post or look at photos and comment on them.
Stand up your own PixelFed instance for your family and friends today!
> Another way the FTC says Facebook violated the order was by failing to adequately assess and address privacy risks posed by third-party developers. Other than getting developers to click an “I agree” terms-and-conditions box when registering an app with the Facebook Platform, Facebook didn’t screen developers or their apps before giving them access to massive amounts of data that users had designated as private. Of course, in the wrong hands, information like that can grease the wheels for identity thieves and fraudsters.
> The order imposes additional requirements to address Facebook’s illegal conduct. For example, Facebook must implement a stringent program to monitor third-party developers and terminate access to any developer that doesn’t follow the rules.
Are you accusing these developers of violating privacy?
If not, you're twisting things to the point of deception. Facebook is supposed to crack down, yes, but it's a specific thing they're supposed to crack down on, not ad-removal.
> Are you accusing these developers of violating privacy?
Yes, the app is downloading private user messages (ostensibly to show a modified messaging interface) and private photos, according to their feature list.
This isn't a simple DNS-level ad-block, its acting as a proxy where the app developers can intercept and see all data.
An app downloading data on behalf of the user is basically what Cambridge Analytica was doing.
The problem is that data ownership is complicated. If I know your phone number, can I share it with other people? That was CA (me downloading data about all my friends). Here the issue is private messages — is it okay for me to share the messages you sent privately to me? A lot of people will get quite upset if you do that!
If I send you something, you should be able to copy and distribute it as you see fit, no matter what I wish you would and wouldn't do with it, and my recourse should be limited to not sending you more things in the future.
In this interpretation, FB should not have been fined for CA. While it’s a cogent theory, regulators disagree with you and they have guns backing them up.
Thankfully many of us here live in countries where the pen is mightier than the sword. If regulators' opinions don't match up with those of the people, then maybe we need some new regulators.
Not trying to imply there's any sort of consensus here, of course. Just that "regulators disagree" certainly isn't the end of the discussion in any country with a functioning democracy.
To be clear, I'm not saying that there should be no consequences if you distribute a message that I didn't want you to. I'm just saying that I shouldn't be able to stop you from doing so. If you signed a contract saying you wouldn't, and then you do, I should still be able to sue for that, but the existence of such a contract shouldn't let me control your technology to prevent you from breaking it in the first place.
I'm distinguishing between two different meanings of "can't": not allowed vs. not capable. You should be capable of violating NDA/ToS's, but possibly suffer legal consequences if you choose to do so.
> An app downloading data on behalf of the user is basically what Cambridge Analytica was doing.
Nowhere close. CA was asking permissions from users and then got the data from those users and all of their FB friends who did not agree to anything nor did they know their data is being collected.
This is exactly the crux of the problem. Consider Alice and bob, where bob used CA and Alice did not. Alice shares her data with bob. What can Bob do with it? Can he share it with CA?
It’s messy! Another similar problem in this vein is data about you that does not belong to you. Who owns your purchase history from Amazon, or which pages you clicked on? You? Amazon?
That is a naive view. If/when the app devs go malicious, it will be Meta on the legal hook for users' "stolen data."
The press and users will blame Meta, not the developers of this app, or the users that unwittingly handed over their data. The headlines will say "X million Facebook users' data leaked," or "X million Facebook users hacked."
Meta is acting in an entirely reasonable manner for a company under such regulatory and press scrutiny.
Are you seriously saying it should be Meta's job to continuously reverse engineer a third party client (that doesn't even have a privacy policy) to figure out if it violates users' privacy?
That's absurd. Far more sensible to just ban it and call it a day.
If Microsoft provided a public API where you could download all the credentials for both the user and all their friends, then yes, Microsoft would be blamed.
> Yes, the app is downloading private user messages (ostensibly to show a modified messaging interface) and private photos, according to their feature list.
In 100 years, I wonder how we will look back at our generation tried to wrap its head around how digital information works. The implications are mind mending and we've been figuring it out our whole lives, with new aspects appearing regularly.
People like my grandparents couldn't ever download a conversation and share it, not in the same way
What evidence do you have that this application was acting as a "proxy" where the developers can "intercept and see all data"? That's a pretty big claim to make without providing any supporting evidence.
That’s how any third party interface works. It’s a proxy that ostensibly just formats and displays the data to the user but there is no way to guarantee they don’t upload it to their own servers or something, as Cambridge Analytica did (which got Facebook in trouble)
There is in fact a way to verify whether the application sends the data elsewhere.. The most basic of network monitoring tools will immediately indicate what external hosts are being communicated with. If all the network activity is strictly with Instagram's servers, it's plainly clear that the app dev is not siphoning off user data.
So, this is why I ask. It's actually really easy to find out what network hosts a piece of software is interacting with. If the dev really is stealing user data, it should be trivial to prove. This is the evidence I am asking for, otherwise that person's claims are completely baseless speculation.
Again, I'm asking _the person in the thread above_ who made these claims that the app is stealing user data to provide any supporting evidence, perhaps via the methods I described in my last comment. I'm not talking about Meta.
THat's not the what you were asking. You asked 'What evidence do you have that this application was acting as a "proxy" where the developers can "intercept and see all data"?'
The app is by definition acting as a proxy, and therefore the developers can intercept and see the data, though they might not be doing so currently.
Is the Facebook Messenger app a proxy? Is the Instagram client a proxy? Is the mail app on my phone a proxy? I'm trying to grasp what definition of "proxy" you're using here, because every usage of the word "proxy" I've ever see relating to internet services is: "a program which redirects network traffic to another destination". The subject is explored in detail at https://en.wikipedia.org/wiki/Proxy_server . Yet again, I'm seeking to see any shred of evidence that even _suggests_ that the application has acted as a "proxy" or sent more user data to the app developer than absolutely necessary to function.
>The app is by definition acting as a proxy, and therefore the developers can intercept and see the data, though they might not be doing so currently.
You're making an assumption here that hasn't been confirmed. That assumption being that any app accessing user data from Meta is proxying (i.e., streaming the requested data to the app publisher's servers and then passing that data along to the end user) that data through their servers.
Is that the case with the app in question? Is it the case with every such app?
Or are there apps that directly connect to Meta's servers from the user's hardware without streaming the requested data through the app publisher's servers?
The app in TFA may be proxying (see above) data through their servers (that's the definition of a proxy in this context), but I don't know if they are doing so. If they are, there certainly are serious privacy/security issues with that process.
But again, no one has provided evidence that's what the app in question is doing. If they are, you should run screaming in the other direction.
However, if the app is simply performing the same API calls as Meta's app and returning the data directly to the end user, the risk profile is pretty similar for both apps (dependent on code quality, the ethical stance of the publishers, etc.).
Charles Proxy is proxying requests to your browser.
If you use the built-in dev tools to do the same thing, then there is no proxy.
An alternative client for something is (usually) not a proxy. It connects directly.
But more importantly, "a proxy where the app developers can intercept and see all data" is not referring to a client-side proxy. Even if there was a client-side proxy involved somewhere, that would make the initial claim wrong.
That is not the point. The person you replied to wasn't saying they know for sure they were stealing user data, just that Meta has no way of knowing they aren't, and even if they aren't right now, no way of knowing if they will start in the future.
It doesn't matter what the app does at this moment, it can be changed at any point.
Should Meta also ban users who connect to their services from GrapheneOS, since it could be updated to steal all of your application data in the future?
>That is not the point. The person you replied to wasn't saying they know for sure they were stealing user data, just that Meta has no way of knowing they aren't, and even if they aren't right now, no way of knowing if they will start in the future.
But isn't such an application running on the end-user's hardware and making requests at the end-user's behest?
If so, what does Meta have to do with it at all? Should they be allowed to tell me what software I'm allowed to run on my hardware?
The risk you mention is all on the user's side and none of it on Meta's side. If the user decides they want to accept that risk, AFAICT it's no skin off Meta's nose. Or am I missing something here?
>If I grant a friend permission to view my photos, I am not also granting some random 3rd party that permission.
Assuming the "third-party" client is just that (a client app), there really shouldn't be an issue. If I use FluffyChat[0] instead of Element[1], do the FluffyChat folks have access to all my (and those with whom I communicate) Matrix communications? If I use Element, do they have such access?
If you use Firefox to access Facebook, are you granting Mozilla full access to your (and your FB friends') profiles?
There has been a lot of noise about "third-parties" and how they only exist to steal your data.
But we use "third-party" clients all the time. Web browsers, IRC clients, and a host of other "third-party" apps. Why aren't you up in arms about them stealing your data and that of your contacts?
Those other third party apps usually have a monetization scheme that's clearly separate from a need to steal your data or are open source which allows you to see if there's any weirdness or build it yourself. And I shouldn't need to mention that if it was found out that Firefox was uploading data from every page you read to their servers that there would be a massive reckoning.
Tell me, for the OGApp what is the monetization scheme? How do they intend to make money? By default if you don't see anything upfront you should assume that your data is what is being monetized. And your data in this case includes everything the app can pull down from Instagram while it's acting as a proxy.
Similarly and I keep mentioning this: Just because there's no current evidence of them stealing your data does not make them trustworthy. A site asking you for Steam login details would be almost impossible to prove that it's phishing for login details, but it would be a bad, bad idea to put in your login info anyways.
If they want their app to be trusted then it should be made open source.
>Tell me, for the OGApp what is the monetization scheme? How do they intend to make money? By default if you don't see anything upfront you should assume that your data is what is being monetized. And your data in this case includes everything the app can pull down from Instagram while it's acting as a proxy.
I have no idea. I'd never heard of this app as I don't ever use whatever functionality it provides.
I'm not saying these folks are saints, I have no idea what sort of people they are. If it makes you feel better, I'll posit that they're scumbags who would sell their own mother for a nickel.
But that doesn't change the fact that I (or anyone else, for that matter) should be able to use the client of their choice for anything. If that's not the case, then Meta (or HN, for that matter, if they decide to be as scummy as Meta) would be within their rights to decide which browser you use to connect to their properties, and what add-ons you install in that browser.
Sorry, that's not an acceptable solution[0].
>If they want their app to be trusted then it should be made open source.
You won't get any argument about that from me. But even if these guys are all clones of the anti-christ scheming to destroy humanity (for the record, I have no idea and make no value judgement about the ethical standards of the app publisher and its employees) by creating a subset of the data Meta already collects, if I (or anyone else) decides they want to use that software on their personal property, who's to say what can or can't run on that hardware?
I don't (and wouldn't try to) speak for anyone else, but my property belongs to me and I will run the software I choose on my property. That has nothing to do with Meta or the publisher of the app discussed in TFA. Rather, it's about my control of my property. Full stop.
[0] My objection is one of principle, not about any specific software. And I stand by that objection.
Yes, you can choose whatever software you want to run, but Meta would be in full rights to ban you for using third party clients. And Meta has a vested interest in ensuring that people aren't using clients that scam their users out of their credentials because said users don't exist in a vacuum. They have friends, family, private messages and so forth that other users did not consent to have stolen or taken by a third party. This was the whole Cambridge Analytica controversy in a nutshell and their decisions around stuff like this all stem from that.
And in fact, sites are within their rights to determine which browser you can use to connect. Sites are often designed for and optimized around certain browsers and if they detect you running Internet Explorer 3, they can tell you to go away. This is a fact of the internet. And you're just as free to simply not go to their sites. This has been a fact for decades. No site is obligated to serve your obscure internet browser. And no API is obligated to serve every client that calls it.
>And Meta has a vested interest in ensuring that people aren't using clients that scam their users out of their credentials because said users don't exist in a vacuum.
Did this specific app actually "scam users out of their credentials?"
I'd expect that they didn't "scam" anything. The end user installed the app and voluntarily provided their credentials in order to access their content.
How is that a scam? If I'm using an Android phone and sideload an app to access say, HN, whether that's an apk from a publisher's website or from F-Droid, have I been scammed out of my HN credentials by that app's publisher?
If the app claimed to be the "official" app from Meta and used phishing techniques to get folks to install the app and/or reveal their credentials, that would be scamming.
But a deliberate choice by a user to use a specific app for a specific purpose, with the app in question actually serving that specific purpose doesn't seem like a "scam" to me.
Sure, Meta doesn't like it for a bunch of reasons. And it doesn't surprise me that they took action to smack these guys down. But characterizing this app as a "scam" doesn't seem to reflect reality.
> Their website doesn't even have a privacy policy, just a dummy link
That’s not true at all. They have a privacy policy linked at the bottom of their page. It opens in a new tab by default which is probably blocked by our adblocker.
I just checked in Firefox on desktop - and their privacy policy links to a real page. I thought maybe it was recent, so I checked on the Internet Archive as well. Nope, it's been there since at least September.
Are they doing something weird and non-standard that may not work everywhere? Quite possibly. Is it a dummy link that goes nowhere, per your claim? Absolutely not.
Proxying.. i don't think it means what you think it means. By that logic they should ban all of google's employees because chrome "proxies" information from facebook's servers (i.e. chrome shuffles private data from facebook's servers to user's eyeballs)
How is Meta supposed to verify this? And verify that they don't start behaving badly in the future?
This is what got Facebook in trouble with the FTC... they allowed developers access to all the users data without oversight. They are required by their settlement to not just trust app devs that they won't abuse the data.
That's not what I am asking. GP said that this third-party app is violating user privacy, and I am asking for evidence of that. As of now, there's nothing to suggest that the app is doing more than we're led to believe they are. CA went beyond what they claimed they were doing.
That said, while I don't disagree with the point you're making, I disagree with the approach. There's a difference between recognizing that the market is interested in the approach the third-party app is taking and working with them to figure out how to move forward together, and nuking from orbit the unconnected personal accounts of everyone tied to the app on LinkedIn.
The app logs you in from a different location, requires an intermediate login if you use 2FA (they promise they log out immediately after), is sold for free by a venture backed startup, long-term vision is to export your data to other social media, and says logins always show up as Android (even on iOS).
Maybe they aren’t doing anything malicious, but wow I would not trust it.
It's also worth noting that the Instagram API is extremely locked down for typical users (which is the reason why there hasn't been a clone like this) as it is limited to Businesses and Creators, but the app demonstrates features not available by the official API: https://developers.facebook.com/docs/instagram
> They tweeted that they reverse-engineered the Android API, which would likely get personally you banned anywhere
The question is - how do we even allow it do be legal? Not being able to reverse engineer applications running on your own devices is some kind of bullshit dystopia, tolerated only because average citizen is not technical enough to realize how dystopian it is.
Listen, I really didn’t like the way your machine consumed your resources, so I built my own machine that consumes your resources. You should totally let me do this because it’s what your users want. Oh, and I also told your users to stop paying you because that’s anti consumer.
Meta is wrong in a lot of ways, but this isn’t the right way to fix the problem. Just remove Meta from the equation entirely.
I completely agree that this isn't the right way to fight Meta, but I disagree about "Letting" you build a machine that consumes resources.
It's not OG or Facebook's machine that is consuming Facebook's API Resources. It is software that is running on the User's hardware. The user should be, and generally is, allowed to make any request to Facebook that's not actively malicious - Using whatever software they choose as their user agent. That means a third party client, developed with the express intent of not showing ads. It's my computer, not yours,
> “When we heard back from Cambridge Analytica that they had told us that they weren’t using the data and deleted it, we considered it a closed case. In retrospect, that was clearly a mistake. We shouldn’t have taken their word for it. We’ve updated our policy to make sure we don’t make that mistake again.”
If there is a third-party server in the middle of you and the service, you kind of have to assume that they are doing something with the data.
It is made worse because some developers aren’t doing questionable things. Others are doing questionable things. But you have no way of discerning between the two groups.
So, it has now become against the TOS to have a third-party make requests on your behalf.
Should we believe in the internet’s ability to be unequivocally good, or should we look at history and realize data protection is a serious problem?
> So, it has now become against the TOS to have a third-party make requests on your behalf.
Me installing a third party FB client on my phone and making request through that is not a third party making requests to FB otherwise browsers would then have to be classified as third party. There is no requirement for a third party client to go through a third party server.
I agree with you and disagree with you at the same time.
Here’s the rub though, if you make and distribute a thing, with the sole intent that the thing will be used for stealing something. Is that ok?
If I made a device that could unlock and start a car, that required no knowledge of how the underlying tech worked, and I advertised it as “OGTransportation, transportation like you want it. No car payment, no paying for gas. Just get in and drive”
What The OG App did was the equivalent of building and distributing a third-party telephone, rather than everyone having to use one rented from Ma Bell.
The "infrastructure" here is advertising, or rather, the need to fund real world things with advertising because there's no way yet to micrometer what users consume on the internet and get them cough up money for it.
Sure, that might be a problem. But it should be Meta's problem, and they shouldn't be able to make it The OG App's problem or any individual user's problem.
It’s different because they didn’t make the information/source code available on GitHub and say “go at it”, allowing each user to choose to violate the TOS. They actively facilitated the behavior and received funding to do so.
Also sites block users with AdBlock enabled all the time, how is this any different?
It's not, blocking users with ad blockers is not tolerable either. If you're unhappy with people consuming content on their own computers, find a different business model that you're happy with.
If the users were building the source code and deploying it to their devices, sure. That’s not what’s happening here though.
This isn’t DeCSS, this is a company trying to build and sell a DVD duplicator that advertises that it rips copyrighted content and also removes the previews.
This is the point that Richard Stallman tried to hit over 2 decades ago with Right To Read (https://www.gnu.org/philosophy/right-to-read.en.html ) and got close but not quite --- yes, source code is valuable, but even without source code you should still have the "right to read" what your own computer executes, as otherwise it is not truly yours.
In fact I'd go as far as arguing that true software freedom isn't about availability of source code, but what you are legally permitted to even without.
In Europe, reverse engineering is legal by the means of observation, and decompilation in some cases, as long as you have a license for using a program:
You either hate yourself or you don't use the Web too much.
> that isn't equivalent
It absolutely is. There's a service out there that's meant to communicate with applications running on my computer. What my computer does is 100% up to me. If this means your business model that relies on locally running code is hurt, that's something you should have factored in into your decision to choose that business model.
Is the Web going to be sad because of what I said about it?
Let me rephrase: "browsing today's Web as-is is an extremely miserable experience and the fact that you can put up with it doesn't mean everyone else should".
How did they get pre-seed funding for this? Unless I'm missing something, any angel who would invest $1M into a company that is building an alternative, ad-free Instagram client has to be one of the dumbest people around, no?
How could anyone even conceivably think this could go on indefinitely?
I'm asking genuinely because I don't get how anyone could've thought this would end any way other than by Meta putting the kibosh on this.
It can be that they're actively looking for this to happen to set a legal precedent legalizing this.
It's not a bad argument - if you are allowed to view content in an official client, it must mean that you are licensed to view said content and that a third-party client which displays the same content should be allowed to do so since you've already got a license for it.
Adversarial interoperability is our only escape of big-tech monopolies.
They could be non-technical people with no experience in software, they could have been misled by the company, or maybe they really thought they could get away with it somehow?
This is honestly the exact reason I haven't tried to develop a facebook app or extension... I've heard that the smallest mis-step can get your account suspended like this. Not like a 'here's a warning' but 'you read a variable you shouldn't have, now your whole account is deleted'.
This isn't usually a problem, except Facebook has a pretty unique position in our society. It might be the only social media some of our immediate family have. It's the de-facto social media presence for some smaller community organizations (like parent groups) and hobby groups. A ban from Facebook is a lot more deeply impactful than being banned from, say, gmail or something.
I could understand if they sent the developers a cease-and-desist or initiated some sort of legal action with this as a potential consequence. I could even understand blocking the app until it was resolved. But actually searching up the dev team and banning their personal Facebook accounts for something they're building on Instagram...
This makes it so much scarier because Oculus is also Meta, and the community there is still heavily reliant on developers to grow since Meta has sunk so much money into it and it still hasn't quite found its footing in the market. Do they think more people are going to develop for it if a potential consequence is their facebook account will be perma-banned as a first-resort? Would you be willing to experiment on that platform?
Anyways, I'm no gazillion-dollar monopoly, but it seems vindictive more than good business sense.
> Facebook ... might be the only social media some of our immediate family have
It's funny how prevalent this meme is. But I'm not expected to have an AOL account just because it's the only social media grandpa has. Or MySpace just for Aunt Lolita's sake. No, they are both supposed to get Facebook accounts because that's what cousin Ralph has. And I'm supposed to move for the same reason. Well, if Ralph wants me to know what he ate for dinner, he can find me at my local bbs.
Many folks on here might be too young to remember, but there was an era where cable companies served premium channels with a scrambled signal to all customers, and sold access by way of attaching the appropriate filter. In fact, all channels were protected in this way, with your cable box holding the necessary filters. Albeit, some were merely hidden by a band pass filter and not scrambled.
Anyhow, those arguing that third party clients ought to have access to the API are making a similar argument to those who wanted to use third party filters to access channels they hadn't paid for. Why, it would go, if the cable company didn't serve the signal then it wouldn't be available to be used.
Which is not unlike claiming that the data provided by a private API is free for the taking. It's not, and it's certainly not with the consent of those endeavoring to keep the API private, even if it's accessible.
They aren't making the api private, they are making it tricky.
They have no intention (that I know of) of banning new browser technology. They don't say you must use Firefox/Chrome. Which means I can make my own browser and render it however I like.
If the data was meant to be secret, it would be encrypted. At the moment, if I do
> curl -L instagram.com
I get a mix of HTML, JS and CSS. In plain old text.
What am I allowed to do with this data?
Do I have to render it according to what WHATWG says? Obviously not.
If they were trying to limit access to their data, they would, like cable companies do, provide a secret to me so that I could decrypt the response.
Why don't they do that?
Because they want the data *public*.
They could make instagram available only via its own app with its own transport layer.
If they did that you would be violating anti-circumvention in the DMCA by reversing and publishing the protocol.
They want the data open and available to everyone to lower the barrier to entry to make more money. The tradeoff is that they don't control how that data gets presented.
Their ToS disallows the use of unauthorized clients; if one were to accept the ToS, create an account, and use the unauthorized client then they would have violated the agreement and circumvented the legal protections around the private portion of their API.
> If they were trying to limit access to their data, they would, like cable companies do, provide a secret to me so that I could decrypt the response.
They do. That's the effect of having portions of the API and data accessible only to those who are logged in, and have agreed to the terms of service.
Doesn't seem like a valid analogy to me. Access to an API isn't the same thing as intentionally accessing a paid service for free.
If someone writes an app that somehow bypasses needing a Netflix account and lets you stream video from them without paying them. That would be analogous. The intent would be to illegitimately access a paid service.
Using a third party client with a valid account to access API endpoints that respond to that account. I don't see a problem with that. I don't care what the ToS says. It should not be legal to disallow that in a ToS. It also shouldn't be legal to intentionally obfuscate your APIs.
Third party clients are okay and attempting to block them is morally wrong and should not be legal.
Well on the contrary, I'm saying that I find those particular terms immoral, that those terms should be disallowed by law, and that I think it is either morally neutral or possibly even virtuous to intentionally and knowingly violate them.
It's similar to civil disobedience I suppose, except in this case not a law but rather a civil "contract" inasmuch as an impenetrable ToS that a user is forced to click through can be viewed as a proper contract as opposed to a written notification from the vendor that they intend to terminate your service if they discover you doing any of the following things.
>Many folks on here might be too young to remember, but there was an era where cable companies served premium channels with a scrambled signal to all customers
Even more esoteric, there was an over-the-air company, IIRC called Vu, that broadcast an analog encrypted signal that required a box to decode properly. Tuning in without it resulted in a signal that was not in-sync so the h&v blanking floated across the screen. In my area, it was a UHF channel that would switch to the premium encrypted signal at 7pm. The decoder was about the size of an Atari 2600 console.
If a third party can build a box to decrypt your encryption without you providing a key, then instead of suing the third party out of existence, you should pick a new encryption algorithm that's actually secure. Consider this analogy: should Master Lock be able to sue companies that make padlock shims, since several of their locks are vulnerable to shimming attacks?
The companies that made the lockpicks have the argument that they're only to be used by professional locksmiths in the process of opening a lock that the owner has authorized them to, which is legal. Selling a tool that only has illegal uses would quickly lead to trouble.
The third party clients can only be used in a way that violates the ToS.
Building and owning circumvention devices is generally legal; using those devices to access things protected by locks, which you are not authorized access, is generally not legal.
These companies can ban the US President from their platforms. What makes you think they can't ban yours - you don't even have any nuclear launch codes...
*These companies can ban a terrorist from abusing their platforms as a terrorist control channel, banning him years too late due to their corrupt incentives.
Is this the narrative now? Tr*mp is a terrorist? Are we holding the same standards against previous presidents, too? Is drone striking Americans without due process also a terrorist move? Or are we only going to focus on the one president that said mean things on Twitter?
Unless you're a monopoly and then you can do whatever you want because your customers have no alternative. Which Meta is (well, it's a duopoly with Google).
Anyway Meta's customers, and the only entities it cares about, are large ad buyers. None of them will give a crap about this random app and these random human beings getting banned. This has zero impact on their ability to continue writing checks to Meta and continue getting in front of your eyeballs.
If anything Meta's customers will be happy about the ban since this app caused fewer people to see their ads.
There are plenty platforms out there besides meta; numerous places, fox comments, stormfront forums, gab, truth social, 4 chan, reddit, your own blog, twitter. No one can say that there aren't other platforms.
Meta is a monopoly. It doesn't matter that other platforms exist. Those platforms don't make a lot of money (at least in the US) and whether you're a monopoly or not is about money. (You also don't need 100% - essentially if you have a lot and you have the power to distort the market, you're a monopoly.)
The business of social media is ads. In the US the vast majority of social media ad spend goes to Meta. Thus, monopoly.
Google and Meta hold a duopoly over digital ad spending in general.
The FTC agrees and is suing Meta for monopolizing social media and the "metaverse." Anything could happen with these lawsuits but they wouldn't be doing this if they didn't think they had a good case.
the personal account of the president, an important and not pedantic distinction because as a citizen he has no more rights than anyone else, despite having a lot of might. The president's not a king or a queen who can just walk into whatever place he or she wants, in my book a win for the rights of private citizens and companies in a Republic.
that isn't facebook's problems that they regular folks don't want to join a bunch of fascist platforms. No one is -owed- an audience of a billion people. I don't think the -means- of those shoudl be blocked. ISP, cloudfront, AWS, etc shouldn't be able to block such orgs (as long as they aren't doing anything illegal) as they are providing a source that means the internet does fall apart because they are providing the most basic of what makes up the web/internet and it's easy to argue that they should be able to pick and choose like a facebook/amazon/twitter/etc, who provide something that isn't a commodity.
Free market did enormous amount of terrible, short sighted choices. I am living in a (moderately) free market country, which isn't USA and government moderation is a never ending war with evolution of ways to circumvent regulations. These are only in place to try to keep food products from harming people eating them. I use food as an obvious example, but it applies to all branches of economy - electronics, insurance policies, gambling, clothing, meat, produce, etc.
All in pursuit of profit over humanitarian needs. Always trying to evade detection by means of misdirection, "accidental" omission; surely even bribery.
It's only a matter of time until the Leftist tech platforms ban a critical amount of content producers and make themselves irrelevant. After all, each creator you ban represents a multiple of monetizable viewers that you just partially or totally told "don't come to my site".
Take Rumble for example. It still has a substantial amount of gristle, but a growing amount of mainstream content. It is also now a publicly listed company undergoing hockey stick growth at a time when most companies are not.
I don't think there are any "leftist" social media platform. Maybe explicitly leftist subreddits if that counts? But overall, there are normal people platforms and right wing propaganda platforms. Is this the effect where anything left of fox news is "communism"?
I hadn't heard of Rumble until now. But I'm just seeing some putin defense, covid conspiracy, and joe biden is a terrorist videos. And the UX is early 2010's.
Not exactly. You can't deny baking someone a carrot cake because they are gay for example. But you can deny baking them a cake that represents a gay celebration, for example asking to have two male figured on top, or delivering it to a gay wedding.
I don't think you should be able to ban someone because you don't like them. If it's the case that you should, why doesn't Facebook scrape off and ban known sexual offenders list? Criminals? Should someone that beat their exwife in 1987 really be on Facebook, let alone be able to look up his victim?
I personally think people should be allowed on unless they break the actual rules of the platform on the platform.
Most any business can ban a president. Put up a sign in your gas station and poof, you’ve banned Joe Biden.
What you’re talking about is the platforms relenting and finally enforcing their own terms of service. In this case, _not_ giving a president special exemption from rules that would have caused another user to be banned.
The only special treatment they applied was ignoring their rules for years. Your imagined persecution was simply equal treatment.
If it was a really good app you made, why not also make your own backend and completely decouple from meta?
If you build an app using the meta platform in a way that is a clear violation of their tos, the app will obviously be killed the second it gets popular. If I was running a service and another company attempted to do this to my service (violated my TOS, built on top of my private API in a way that striped all my revenue and repackaged it under their name, etc) I would definitely ban them...
Well, what did they expect? Does anyone think a company will sit around while you strip their app of their revenue source and republish it?
Now I'm all for trying, I use adblockers and SponsorBlock, but we all know that they're unofficial methods that could be taken down at any time. That's exactly what happened to Vanced.
Your argument is basically "what Meta did is okay since you agreed to it in the terms of service that you accepted", right? I'm saying that like selling yourself into indentured servitude, accepting Meta's TOS is not always a completely free choice.
If you don't like Meta's terms, don't use Meta products and services. It's that simple.
There's no indentured servitude because you're not giving Meta free work. In this case, people don't want to pay for Meta services by viewing ads. If you don't want to pay, don't use the service.
> don't use Meta products and services. It's that simple.
Doesn't that basically completely cut you off from electronic communication with everyone else in most European countries, where WhatsApp has basically completely replaced SMS?
SMS didn’t disappear. You just have to pay for it with money.
WhatsApp also isn’t the only IM on the market. If you want to use it, you have to use it on their terms.I didn’t like the terms so I dont use it. I prefer paying Apple upfront with money instead of paying other companies with my privacy and attention.
The issue isn't that I can't use SMS without paying. Even if I am willing to pay, it does me no good if none of my friends are using it because they're all only on WhatsApp themselves.
Everyone with a phone still has access to SMS. Your personal choice is not Meta’s problem, nor does meta have a monopoly on communication. No one, especially in developed countries, is forced to use meta services. There are many alternatives. I use iMessage myself which is great
It's not just my personal choice. I can't choose to use SMS to communicate if the people I need to talk to don't also make the same choice. And iMessage falls back to SMS when you send messages to people who don't have it.
Remember when Nestlé gave new mothers free trials of baby formula, that lasted just long enough that they'd stop producing breast milk? Was that okay too, since the mothers could have declined but made the personal choice to accept?
It’s a bad analogy because in this case, the alternatives never went away. If you don’t want to pay for a service upfront with money, you need to pay for it with ads on the service provider’s terms. That is your personal problem stemming from your personal choices. There are alternatives.
They are alternatives because your friends can also switch services. The problem is that you are not willing to pay either money up front or with watching ads. That is not a meta problem, that is problem with your personal preferences no matter how you want to spin it. There are many alternatives available right now and they didn’t disappear like your bad analogy. What you’ve written is clearly disingenuous because you’re not willing to pay for SMS, which everyone including your friends still has access to. It’s not fair to blame meta for that
Luckily we have laws in place in many countries that invalidate contracts that are clearly disadvantaged to one party.
Meta made a decision they were entitled to make, though I understand that this is a separate point of controversy wherein company’s are arbitrarily banning users across their platforms with no recourse.
Metas TOS holds no weight over you outside their platform. Indeed the only weight they try to hold over you outside their platform (mandatory binding arbitration) has been demonstrated to be unenforceable in the U.S. at the very least.
I don’t disagree on that point. I’m just making it clear it was in the TOS.
I don’t want my gmail account permanently because of a comment I made on YouTube, nor do I think that should be commonplace. I’m not sure what the best solution is though.
I once worked for a server hosting company that had a few different “branches”. It was pretty common to see different types of misuse or abuse. Whether it be credit card theft, hosting copyrighted content, or hosting phishing sites. I would go out of my way to monitor for and ban all associated accounts at all branches of the company. Not because I wanted to ban their personal accounts, but because 99% of the time those associated accounts would immediately engage in the same behavior. You can sit there all day playing whack-a-mole, or you can exterminate the mole.
I could totally understand blocking the app, but going after the developers' personal accounts is petty and weak. OGapp should lean into it and offer to make something better; Meta's behavior is the sign of a failing company that's ripe for disruption, and many people are just looking for an excuse to get off the platform.
Maybe I’m just a graybeard but all this is reminiscent of the shenanigans that Ma Bell pulled. Not exactly the same but similar. History doesn’t repeat itself but it rhymes, as they say.
There’s a very simple solution here: common carrier. Treat social media as a modern utility. No viewpoint discrimination, censorship, algorithmic social manipulation or proprietary on-ramps.
There is one thing worse: Typically these phone carriers had a duty to provide service in exchange for their monopoly. Here FB can ban you from their monopoly playground piercing the liability shield working for a legal typically company gives you.
There is plenty of freedom out there. If someone wants to be a Nazi/Antifa/Climate Skeptic (not you but the usual suspects) and try to stir up murderous crowds/riots/etc then do it on your own platform. There is Gab, Stormfront, Fox News comments, etc for that. There is no lack of platforms out there. All you have to have are the $$ and the grit.
> UN1feed says Apple removed The OG App, which let users create and share Instagram feeds without ads and suggested posts, from the App Store; the app ranked #50
I wonder how many who think Meta are in the right here are themselves using things like adblockers, other browser extensions that modify page content to their liking, even Reader Mode, or basically anything other than a "I'll bend over and take it" attitude towards everything they use, because you're a hypocrite if you do.
I think Meta is in the right, and I use an adblocker on my browser. If they stopped serving me content because I'm using an adblocker, I would have to accept it or disable my adblocker on their website.
There's nothing hypocritical about this position. They allow me to use their content in this way so I will, if they didn't, I wouldn't. Working against their explicit wishes (circumventing anti-adblock) is what's wrong.
I'm unable to block their ads on my phone app, so I use it less, but when I use it, I have to see ads.
The companies want you to look at all their ads and be indoctrinated to them. They'd even get you to drink a verification can if they could. Is this the world you want to live in?
Part of personal freedom is about being able to do what you want on your own property, even if others don't like it.
Yep, when I go to a page that blocks content because I have an ad blocker on I don’t even try to bypass it or inspect source and edit to remove it - I just go elsewhere.
Modern ad-funded software is less a "bicycle for the mind" and more a "hamster wheel for the brain". Of course third party clients would be seen as a threat - they empower the user.
It's a threat because 3rd party clients like this circumvent payment for the service via ads. If you don't like the terms, don't use the service. There are plenty of alternatives.
Because you can use another service where you pay in money instead of attention like Apple products and services. Let’s not pretend like there aren’t many other alternatives
Is it legal to look away from ads or mute the volume? If so, it's just as legal to delegate this work to a machine (or to an assistant you hire), or at least, it should be just as legal, though again, I'm not sure that any law has been broken here. Breach of ToS != breach of law.
Whether to use the service or not is a completely different question, but when it comes to Facebook, the problem is the network effects. Facebook has a monopoly on humanity's social fabric in a lot of locations, and since they don't want to intentionally interoperate and cooperate with third-party clients (so your Apple-branded client won't be able to message someone on Instagram), adversarial interoperability is the only way out.
I understand the feeling, but these weren’t random people that had nothing to do with a company action. These were all individuals who took part in the act.
I agree it’s petty, and yes this is what many free market proponents want (unless free market is just a convenient guise to get what they want).
The pettiness isn't the problem, the extra-legal power that consolidation of capital and media enables is. Competition in the market ceases to be about the best product at the best price, and becomes a game of strategic alliances and power abuse instead.
Edit: To clarify once more: Facebook may have a legitimate interest in keeping this company off Instagram. What it does not have is a moral right to use unrelated properties for retaliation. This is what I meant by "extra-legal" - it's using its market power to punish a company, instead of the courts. If Instagram was independent, it could not engage in this sort of business-warfare.
This wasn’t competition though. This was straight up theft of resources/services.
What? “extra-legal”? Don’t mix this with other behaviors Meta/Facebook/Instagram engage in, I hate them for all the bullsht they get away with too. However, this isn’t that, this is someone trying to build a platform on top of someone else’s platform explicitly against their terms of service and without reimbursing them.
The argument has been made before, that adblocking is a form of theft. I don’t disagree with it, and when a site blocks me for using ad block I accept it and either forgo the content or disable my Adblock.
Years ago there was an effort to allow users to pay a monthly fee to avoid ads. The idea was that this specific ad network would distribute those funds to the sites you visited in place of ad revenue, and the users would instead see a placeholder of their choice (like a grey block, cat pictures, etc).
I signed up for it, unfortunately they could never achieve market penetration compared to google Adsense, eventually the product died.
Unfortunately there is more money in collecting your behaviors, habits, and using that for targeted advertising than most people are willing to pay for content in aggregate.
YouTube and other platforms have seem some success in ad free options, but only on those targeted platforms where the value-add is clearer to the consumer.
p.s. If I have to go out of my way to evade anti-adblock measure then the answer is a clear yes to me. Otherwise, if no clear block is placed before me I view it as a moral grey area. Sites that I want to support and regularly visit I disable ad block for. I am one of those people who don’t have adblock on YouTube.
I’d like to see an internet that didn’t need ads or ad blockers. Give me a better way to help you monetize your content.
It's hard to be sympathetic to a company that operates morally dubious amounts of data harvesting. If a program enables you to gain more privacy while using the internet, it's a moral good.
I don't consider it to be stealing any resources or services. It's little different than an ad and tracker blocker on a browser. Any client-side user agent should have the right to act on behalf of the user. If it's not illegal to build this kind of program yourself to protect yourself, it shouldn't be illegal for another company to build it and profit from it. A company like Facebook shouldn't have the right to strategically stifle innovation and improvement, in a way that makes the market better for the consumer. That undermines the entire point of capitalism, which is to benefit maximally for the consumer by forcing companies to out-do each other. It reads more like anti-competitive behavior to me, and Facebook refusing to try to properly adapt to somebody making their product better than they can do themselves.
If Ford produced an on-board tracking device that tracked your use of the car to sell to advertisers, and another company sold a device that disabled the tracker permanently, there would be no good reason for Ford to be able to forcefully ban the company from buying their cars. Even if the car was sold at a loss because the ad revenue subsidized the remainder and then some.
People are hungry for privacy and a better experience. Facebook needs to learn to adapt for the good of the consumer, or die by letting other companies eat their lunch. This is good capitalism. It sucks for Facebook, but it's good for the public.
I’m with you almost all the way. I’m just not going to say that any of us our entitled to the resources of someone else.
I believe in what’s best for the commons, but not at the expense of stealing what’s not mine. Sure, take possession of what’s yours, your information, your privacy, your property. But don’t give it all away to receive some benefit, then insist on seizing it all back and keeping the benefit.
The transaction you make with Meta is that you’ll give them a piece of your property, in exchange you get to use their machines. If you don’t want them to occupy your property, stop using their machines.
I choose not to use Facebook/Instagram because I’m not so self important as to share my daily life with “friends” I only talk to out of convenience and lack of something better to do. I don’t feel like the benefit Facebook offers is worth the toll they exact. I don’t want my land to be part of their machine, and similarly I don’t feel entitled to it.
When someone sends me a Facebook or Instagram link and I’m asked to login, I just let them know I can’t view that link. If I’m blocked from Instagram content, or increasingly Twitter content, because of my adblocker, then I just accept that the content isn’t available to me.
I host content I want to share with friends and family on services that I either host or pay for so that I don’t have to subject them to that. So they don’t have to sign away their privacy to view my kids having fun at the park.
If a comedian is deplatformed should they ban the production team, ban Alex Jones' sound guy maybe, what about the people who voted for Trump, willing participation?
I could imagine certain protests being demonized and their attendants removed from meta for violating terms of service.
The real question is do they virtually round up the avatars for public deletions, or do they just disappear them?
I think a lot of people would enjoy virtual public executions, if anyone from meta is listening.
I was careful in my choice of the word participated. I chose to use that word as I intended it to only include people who worked on the product. If anyone at the company who did not work on the development of the product was banned then I wholly disagree with their suspension.
Also, while I enjoy your alliteration, it’s also an extremely steep “slippery slope” argument. It’s certainly not an argument I was trying to entertain.
p.s. to entertain your comedian argument, I think there are some situations where that may be correct.
If a comedian tells vile racist jokes, I believe the writer of the joke, the talent manager who knew the comedians content, the person who booked the comedian knowing the content, and the venue who knowingly provided the platform for the content should all be similarly shunned.
The kind that realizes that government is not the only threat to a functional free market, that does not devolve into feudalism. I am pointing out the failure of lack of antitrust enforcement, not claiming that an unrestricted free market is the ideal, no matter where it leads.
Agreed about antitrust enforcement, Instagrams marriage to Facebook should have never been allowed to proceed. At some point we let “free market” supersede a market with competition. When you become large enough that you can leverage non-tangible assets to borrow enough money to buy out all your threatening competition. Or when you become large enough that you can secure patents for every little obvious development, original or not, and litigate every potential competitor out of existence. At that point I don’t think it’s a free market. Throw in some lobbying, protectionists policies, and now you have a captured market.
I'm not saying it is. I'm saying that today, social networks are an oligopoly and lack meaningful competition. That makes it not a free market, which means the social media companies shouldn't get to do everything that companies in a free market can, and should instead be regulated like other things that aren't free markets, e.g., utilities.
Social networks are by no means an oligopoly. There are a LOT of social networks out there. There is a lot of competition. There are few, if any, real barriers for an end user to switch to a different social network – beyond convincing their friends to do so.
God I hate having to defend Facebook in any way shape or form, but this is the right call. Not only is this company sort of suspicious looking at it, but as another user brought up they don't even have a privacy policy. I have no clue what the extent of data or permissions their app has once you sign in as a user.
This is a PR nightmare waiting to happen because they're siphoning data using a reverse engineered API. You could argue 'what's the worst that could happen' but if they're inserting themselves into the middle of that process, they can effectively behave as that user and request anything they wanted as that user.
OAuth exists for a reason and it's to ensure that users are made aware of what exactly an app is requesting on behalf of them and so that full chain can be properly tracked. If you really want to argue that third party clients should be allowed then it should be from the standpoint of forcing companies to offer something along those lines, not this. People defending this app is horrifying from a security standpoint.
i don't have enough backstory on this. but i find it troubling that they banned personal accounts. the developers speculate that they used linkedin to source their personal accounts.
aren't developer and personal accounts separate on facebook?
So a group of developers gets their app and accounts banned because they violated the terms of service of a major platform. They built a third-party client for Instagram, fully aware that this use-case is a violation of the terms they agreed to. Now they complain because the obvious happened. Not only that, on Twitter they complain about Apple removing their app and not a dozen of similar but different apps.
All larger issues regarding infrastructure providers and user rights aside (and that’s a big swipe), this is childishly silly. It’s the equivalent of stealing some merchandise from a big box store, getting caught and claiming that it should be okay because “everyone’s doing it”. No, it is not okay.
And I say that as someone who fundamentally despises Facebook/Meta. Effective regulation needs to happen resulting in a different set of incentives driving actors like Meta. However, unnecessary stunts like this will only ever cause a storm in a glass of water.
Stunts like this are also intellectually dishonest – they confuse, twist and blend different issues together just to try to amplify their outrage potential until they dissolve into meaninglessness. If the developers are actually serious about this, I’m at a loss for words. Then again, maybe that’s today’s social media in a nutshell.
hot take: AT&T and the old monolithic services are great. I'd rather have a contract I can't really cancel easily, then an account that gets permabanned because of black box can't tell you reasons that can't be helped and no human service.
Do they have the right to do so today? Of course. Should they have the right to do so? Definitely not, and that's why we want to see laws in this space changed.
You fuel the monopoly, you suffer the consequences. You have no real power against them and you still actively support them by creating tools for them. PSGWSP.
2. No clear privacy policy (re: how does the app protect and utilize user info)
3. Circumventing user access/security policies
Maybe I missed something, but it sounds like everyone on their team participated in multiple violations on Meta’s platform. I admire what they were doing, trying to polish a turd, but I don’t think they should get upset when they get sh*t on their hands.
Meta/Facebook/Instagram are a cancer that needs to be excised. No amount of plastic surgery will cure the rot within. The platform exists only to get users into a feedback loop that they can use to advertise to you.
Best of luck to the team, hopefully they come to see this as a positive thing, find alternative solutions, and never have to deal with that garbage platform again.
I want to start off by saying that everyone in this whole comments section has been making points as if what they are saying is "fact". Nothing here is "fact" because there are no laws around API usage. I don't think lawyers even know what HTML or JSON mean. Everything here is an opinion and there are clearly opinions on all parts of the spectrum.
Meta is currently completely within their rights to put in their terms of service that there should be no 3rd party clients, there should be no way to access their APIs, etc. That is true. However, we believe that shouldn't be the case. People should be allowed to have the freedom to choose how they use platforms. People should be allowed to control which apps access their data and what they do with it. Some people in the comments mentioned that this is very similar to "Ma Bell" and the whole anti-trust situation along with that, and it very much is. We are stifling innovation and creation of jobs, wealth, and truly wonderful products in the social space because of the stronghold Meta has over the market. For example, both Brazil (PIX) and India (UPI) have open instant payment systems that came about due to Government anti-trust regulation that encouraged competition. This led to a boom in digital payments and was a huge boon for both countries. If you have tried either of these systems, you would know that they are leagues ahead of more "modern" countries like the US. By not allowing interoperability and portability of social networks, and user data at large, we are stifling the growth of the economy and of the products that can be built. Listen, this is no small amount. Social networks were responsible for onboarding the first billion people onto the internet. These tools now help everyone in the world communicate at all times. Do not underestimate the impact they have and the reduction in value across the world because they are not interoperable. Users who use UPI in India have a choice of over a dozen payment apps, that work with all banks, and they can send money to any other bank, instantly, 24/7! This is HUGE. Similarly, social networks that allow for portability and interoperability will allow for dozens of different apps that fit specific use-cases, allowing for more internet users, and a greater value to the entire world.
So, we built OG because we thought this was the first step to realize this vision of the social internet that was truly open, portable, and interoperable.
Getting to interoperability won't be achieved by questionable third party clients essentially abusing the API of a company. What a weird way of thinking. Work out standards, lobby for them etc. You very well knew what you were doing and what you'd risk.
> People should be allowed to have the freedom to choose how they use platforms
I absolutely despise meta but this is just weird. If a company provides a service, they can do so as they see fit, as long as they are compliant to laws etc. If you don't like it, don't use it.
There are nice projects like mastodon or matrix, which seem to have very similar goals as you. I just can't shake the feeling of you guys being shady af. You can't be naive to think this would work? You have no privacy policy, circumvent the compliance of meta (which is afterall, one of the most watched companies) and essentially proxy all user data. WTF? And who on earth would fund that?
Back in the AT&T monopoly it required a third-party device (the Carterphone) to actually be released on the market for their anti-competitive terms to be challenged and eventually struck down in court.
> circumvent the compliance of meta
How? If an idiot user gives their credentials to a shady third-party, it's the user's fault for compromising their own data, not Meta's. If a user were to print out pages of the Facebook web UI containing private data and then start distributing them in the streets, would you also blame Meta, and not the user? What about if the user writes down the private data manually, and then distributes it? Etc.
> essentially proxy all user data
What's wrong with proxying? Plenty of mobile e-mail clients for example do proxying as well because there's just no way to maintain a persistent connection or do regular polling on mobile devices due to network & battery life constraints.
Is there any evidence they captured or misused the proxied data for beyond what's needed to provide the service?
Also keep in mind that a vast majority of Instagram data is public by design - people put it out there because they want it to be seen, and it can be seen by anyone accessing the web interface. The people who ultimately own the data often don't want it to be private.
> who on earth would fund that?
Someone who's actually interested in setting the legal precedent that would allow this behavior and invalidate ToS preventing it?
> Back in the AT&T monopoly it required a third-party device (the Carterphone) to actually be released on the market for their anti-competitive terms to be challenged and eventually struck down in court.
That's so american to think that another company should fix this. It's the state's responsibility to fix that, if people want it.
> How? If an idiot user gives their credentials to a shady third-party, it's the user's fault for compromising their own data, not Meta's. If a user were to print out pages of the Facebook web UI containing private data and then start distributing them in the streets, would you also blame Meta, and not the user? What about if the user writes down the private data manually, and then distributes it? Etc.
I mean content and distribution. Also, providers might be liable for not protecting the user enough. Sorry but your other examples are stupid and totally not what I meant.
> Is there any evidence they captured or misused the proxied data for beyond what's needed to provide the service?
I bet you take care of security in your job ... not. "ThEy DiDn'T aBuSe AnYtHiNg (yet)".
> Someone who's actually interested in setting the legal precedent that would allow this behavior and invalidate ToS preventing it?
Still, liability is a bitch, as you can see. The risks were all laid out quote clear beforehand.
> It's the state's responsibility to fix that, if people want it.
So let's say there's a bad law on the books that prevents this. How do you get people to understand why they should revolt against it without giving them a tangible example? There's plenty of bad laws out there such as the CFAA, yet it's virtually impossible to get people/politicians to care about it because they're not affected by it directly. On the other hand, giving people a tangible example of why the law is bad, such as by breaking it to deliver something valuable, will immediately get people's attention when that valuable service stops because of the law and they got used to relying on the service.
> providers might be liable for not protecting the user enough
How do you effectively protect the user when they are voluntarily giving away their credentials? Furthermore, is it even "protection" (as opposed to rent-seeking) if the user consensually and voluntarily shares their credentials because they trust the third-party?
> I bet you take care of security in your job
Well my security model is that the user is only allowed to access the data they are entitled to. If the user gives away their credentials voluntarily, despite all warnings, there's really nothing I can do, and maybe I shouldn't do if it turns out the third-party is actually operating a legitimate service that the users find valuable.
> Still, liability is a bitch, as you can see
Well, all of this will have to be determined by courts, and ultimately depends whether there's any money to be collected in the first place. This entire operation may have been planned ahead of time with the company structured in such a way that there's nothing for Facebook/Meta to collect even if they end up winning any eventual lawsuit.
If you want me to trust your app then open source it. Until then, your app is as far as I'm concerned a black hole of information that is potentially siphoning whatever it can from Instagram when you proxy for a user.
Without that and no privacy policy, no monetization scheme etc leads me to have zero trust in anything you say about a truly open and clear internet.
Remember when Facebook built out an app platform on top of their website, it was all good until they made it clear they didn’t care at all about the developers and just saw them as a way to increase their control of the market.
It is absolutely incredible to me that people are defending Meta in this thread.
- Yes, Facebook had the right to do it. They're terrible for doing it, though. Meta is terrible? No way!
- I'm extremely exhausted of the "tough luck, it's a private company" shtick when it fits someone's personal interests, but cry corporate capitalistic Hell when it doesn't.
- There is nothing I've seen in the Apple Developer Guidelines that would warrant it being removed, though I'm open to this (it's been a while since I've read the full thing)
>1.6 Apps should implement appropriate security measures to ensure proper handling of user information collected pursuant
Why do you assume they're not doing that? Why do you believe storing 3rd party account access information is inherently insecure? It's not.
> 4.1 Come up with your own ideas ... Don’t simply copy the latest popular app on the App Store, or make some minor changes to another app’s name or UI and pass it off as your own.
Why would the whole copyright-fair-use-deal not be the standard here? The app in question is absolutely transformative - it's the entire reason people would ever download it.
>5.1.1
See 1.6, it's the same exact reasoning. There is nothing the app does that is inherently insecure or privacy-destroying from a conceptual perspective. Is there something specific in this monstrously-large section you'd like to call out?
>5.2.2 + 5.2.3
Ah, you're actually right here! I don't actually remember seeing 5.2.2 before. OG does violate Apple's developer guidelines. Interesting.
Why would they have to circumvent anything? The app relies on the user providing valid credentials, no circumvention needed. It just has to mimic an official client.
> Why would they have to circumvent anything? The app relies on the user providing valid credentials, no circumvention needed. It just has to mimic an official client.
Somebody else said they're using oauth. Afaik, instagram does not provide a public API. So it seems like they abused oauth for that?
Presumably "abusing" OAuth means they've just extracted the client ID and client secret from the official app, thus pretending to be the official app to the API.
There's no other way to "abuse" OAuth other than pretending to be an already-authorized client, and obtaining that authorization still ultimately relies on getting the user's username & password and would only be limited to what the client you're impersonating is allowed to access.
And yet Meta was involved with things like Free Basics, or forcing the Oculus account with a bait and switch, and repeatedly lying about Whatsapp - but I'm sure this Instagram thing is much worse, somehow
Can you imagine the poor intern that's just answering phones or delivering coffee, proud to have their first job, and loses their social media account? Sorta funny.
It also seems extremely petty considering they KNOW this company has endless fake accounts they use, and losing their personals doesn't really mean much other than a personal loss.
