Oh wow, this app got pulled from everything because it's an unofficial 3rd party client for Instagram? I'll say it again, companies should be legally forbidden from blocking 3rd party clients. They don't have to explicitly support them, but taking action to explicitly thwart them (and writing ToS that forbids them) should be outlawed. There's no reason I should have to be subjected to untold tracking, snooping and advertising functionality to be able to post or look at photos and comment on them. Tech companies get to exploit the public under the guise of something useful, while also getting to completely dictate the terms of that usage. The only thing that limits their exploitation of users is the laws applicable in the relevant jurisdictions (and sometimes not even that). Too bad looking out for the rights of users is apparently just a complete non-issue to anyone in power.
Why should 3rd parties be allowed to make unauthorized api requests?
Additionally, some apps are only monetized through advertisement, and 3rd party apps don't display them. How do you expect the 1st party to stay in business?
I don't align with Meta on a lot of issues, but they should be able to control what apps interact with their platform. Don't like it, don't use it.
The 3rd party is not making the API request though. I am, just using software that didn't come from the platform vendor.
Many 3rd party twitter clients have expressed a willingness to display ads if provided an API to do so.
As someone who has lost precious accessibility capabilities because of restrictions on 3rd party clients, I unfortunately have to point out that I don't really have a choice of what platforms I do or don't interact with in a lot of cases. I wouldn't stay at my job for very long if I didn't tolerate Slack's BS, for instance.
Let me offer you a question then: Do you know how much data the OG App is taking from you while you authorize it to work on your behalf? How do you know it's not reading through your entire message history? Or building its own network graph of your friends to sell? How about security? How do you know it's securely storing your credentials? Or that it's not selling said credentials as well?
Like in this scenario to Facebook it is in theory effectively you. Not the app operating on behalf of you with a limited set of permissions.
Yes, people can and will write malicious programs. Those will sometimes take the form of third party clients for a service. That is not and will never be a valid argument against them being allowed to exist. Monopolies are not ok. Abusive behavior by the dominant market players isn't ok.
Yes, but my point is that said clients should have to talk through properly secured APIs and required by law. Until then, an app like this is a massive, MASSIVE security risk and I would question the sanity of any team that saw something like this and ignored it.
> should have to talk through properly secured APIs
I don't follow what you mean by this. The API endpoints that a company provides ought to be secured properly. In practice they might or might not be but obviously they ought to be.
I don't see what that has to do with third party clients though. A third party client is stuck interacting with whatever API the company provides, however secure or insecure it might be.
I mean from another perspective this is effectively a MITM style way of interacting with Meta's API. They are behaving as another unauthorized layer between the user and Meta's API. In actual secure systems involving third party clients the client usually authorizes itself on behalf of some user requests or permissions, so while it does things for the user there's a clear and secure delegation of permissions.
Have you done much work with authorization? To put it in another way let's say there was a website that said it authorized with Steam. It asked you to put in your steam username and password. Is this secure?
Now let's say that same website instead redirected you back to Steam (properly) and requested authorization on behalf of you. Is this secure?
> To put it in another way let's say there was a website that said it authorized with Steam. It asked you to put in your steam username and password. Is this secure?
"Is this secure?" fully depends on what the attack vectors you're considering are. Breach of the server's database? Make it an app instead of a website and make requests directly. Malicious code in the client itself? Make it open source. Now it's even more secure than the official client.
But regardless of all of this, how is it any of the service provider' s business what I do with my login details? It's my data on my account. If I use it in an insecure fashion, that's my problem. I am free to post my login details on Twitter for everyone to see, so why can't I put them in a database on some russian dude's basement server?
Moreover, exactly how does said 3rd-party app differ from a web browser? Is it not a 3rd-party that has full access to login credentials, cookies, etc? Do they prohibit certain browsers from using their websites and APIs?
This might not be the response you expected, but the app is only a security risk because it's not open source, and you can't audit its changes when you install an update. :)
In this case the risk you take doesn't matter (though I argue from a security standpoint this is something you should really care about in any argument around Meta), it's the risk Meta takes by allowing it. Because if the company takes your data and runs, Meta is the one also on the hook for not securing their APIs. If it turns out they're farming passwords from users to sell to whatever group ultimately the class action lawsuit will come out with knives facing Meta.
Like this is a security problem, straight up. I would hope that you can agree on this and that not securing your API is bad.
What do you mean? On what planet is it a provider's fault if a third party farms logins through a custom client. It's not their fault if I get phished, if the little booklet I store my passwords in under my pillow gets stole, if my computer is infected with a RAT... so why would it be in this scenario?
I only got a few posts into the thread before Twitter booted me out for not having an account, so maybe there's some context I'm missing, but what kind of "not securing your API" are you talking about? The fact that a thir party, explicitly authorized the the user, was able to make actions on the user's behalf, doesn't make it secure, it makes it functional.
> Cambridge Analytica then arranged an informed consent process for research in which several hundred thousand Facebook users would agree to complete a survey for payment that was only for academic use.
> However, Facebook allowed this app not only to collect personal information from survey respondents but also from respondents’ Facebook friends.[13] In this way, Cambridge Analytica acquired data from millions of Facebook users
FB gave them data about friends, when it was supposed to only give them data about respondents. Totally different situation.
Yes, the reason this happened was that when a user authorized the Cambridge Analytica app, it would have the ability to view information about all of that user's friends. Sound familiar?
The fault was not in anything CA did, even though I think what they did was bad. The fault was in Facebook letting clients access more data than you authorized them to.
If I approve an access request for a low level engineer to get a single repo from github, and github lets them access every repo on our orgs account, that's a huge fuckup by github, not me.
No, not even remotely similar. A user authorized CA to see their data for the purpose of a research suvey. CA got more data than the user thought they were giving them. With a custom client, the user is giving the client their account for the purpose of accessing all of Facebook through it. The client is getting exactly what the user is giving them and it makes perfect sense that it needs it.
By this logic, it should be illegal / a breach of contract for you to run an ad blocker, since the company may not make money? Should you also be forced to look at ads and not switch channels while they're on TV, with the channel being free to cut access if they find you haven been looking at the ads they serve?
This logic really bends over backwards to support FB's and similar business models.
Rather than just blocking the request for the ad, if an ad blocker allowed the requesting site to make the request for the ad but then just sent the data to the browser's equivalent of /dev/null, I'd be fine with that as long as I never had to see/hear the ad.
This is of course ripe for abuse, but that's just synonymous for digital advertising in general. I don't consider it any different than me hitting mute on the TV during ad breaks or getting up and going to another room during that break.
If you don't think sites have a fundamental right to push ads to sustain themselves (as I don't), then blocking the request is the best place to do it for performance reasons.
But even if you do believe in that right - the site and advertiser care about a single thing: a human being seeing the ad. Serving the Ad request is not just useless for their purpose, it is actively costing them money, and potentially muddling their data.
Doing that is borderline fraud - I believe that GP meant to highlight this. If it gets counted as actual clicks, it's actually explicitly defrauding the advertiser.
Most people sometimes leave the room while ads play on TV. The advertisers know that and work the percentage of pepole that do that into their pricing, etc.
Also, non-organic click fraud is rampant already (and maybe even the majority of clicks). /dev/null + click would at least route ad income to reputable sites that at least have some human readers to view future ad impressions.
There is a difference between you ignoring ads as a user, or an adblock tool removing the ads entirely, and a tool that explicitly tries to make it look as if the user is interacting with the ads. The last tool is actively malicious and deceptive in a way the others are not.
I never meant to imply clicking the ads in order to get fake clicks. What I meant was for any ads posters/videos that are loaded during page load to go ahead and load them BUT don't display them. This gives the website the impression count, but no fraudulent click throughs. This was how I was equating it to walking out of the room during broadcast commercial breaks.
Yes, if a website clearly stated that by accessing the content of the webpage you agree to not use an adblocker while doing so, that could well be legal depending on the circumstances. Enforcing it would of course be difficult.
If you found out Netflix actually streams their content from a public endpoint. You would not be legally allowed to take advantage of that.
No one should be able to control what apps interact with their platform. Companies should have exactly zero control over how people interact with endpoints they open to the internet and it should be illegal and unenforceable to try to create any contractual obligations about how someone interacts with your APIs.
Cheers, I have never before heard anyone else say these points I've been arguing (without me saying it first, at least). I feel a real sense of relief not being the only person "in the room" to say this, for once.
I don’t see any reason that fair use limits or blocking interactions that behave like attacks should be incompatible with allowing and not penalising the use of third party clients.
I want to preface this with that I agree with your point that DOS is abuse and not actually trying to use the platform.
I disagree with calling the question ridiculous. If we’re involving legality like the poster up thread implied with making this illegal then there needs to be some sort of test or rule put in place on what constitutes illegal activity. We currently don’t have one and whenever a new rule is put in place you quickly find out that there is a significant chunk of people who would find anything you think is obviously wrong to be obviously right and vice versa
And using their servers and resources without generating them any revenue is not abuse? They clearly don’t want you to run a third party app without ads, yet you feel entitled to it?
No, it's not. In this case, abuse is about intent: DOS intends to cause distress, losses and denial of service to others. Use with third party apps without adds intends none of this: the intent is to use something else to access the service in an otherwise normal (to the user) way.
Arguably third-party apps that are scrapers are somewhere in between these two in acceptability, but that's a question of "are scrapers morally fine and should they be legally allowed", not a question of whether third party clients are to be allowed at all.
If I access your API I’m using your server because you offer it publicly. That is not abuse.
The distinction is about whether you should be able to offer something publicly, taking advantage of public infrastructure to do so, and then make demands about what the public do with that.
Companies want to do the electronic equivalent of putting copyrighted media on a billboard in a public square then claiming you need to sign a contract to look at it and then only through special glasses they provide.
I think I should have the legal right to access private messages addressed to me by family members via the service explicitly designed to facilitate private communication between friends and family members. I don't think I should be forced to see advertisements and be subjected to historically-unprecedented surveillance to read those couple hundred bytes of text from a family member.
When a platform's primary purpose is communication, certain legal rights should be invoked immediately. In my opinion, one of those rights should be the ability to access those communications by any 3rd party client that doesn't intentionally function maliciously. How "proper 3rd-party client behaviour" is evaluated can be a problem for the industry to solve. They have the $trillions to figure something out. I think they'll survive.
The argument "don't like it, don't use it" isn't a very reasonable argument when, socially speaking, you "have" to use a given service (usually the regionally-omnipresent service) to be included in society. Communication is the foundation of society and of human existence. I miss out on a shocking and honestly depressing amount of social activity because of my boycotting of FB, IG, WhatsApp and other similar services.
I expect that our ability to communicate is carefully protected and treated as something crucially important. There's a reason there are SO MANY commercial services around communication and they are largely the most lucrative, because everyone NEEDS to communicate. People will subject themselves to extremely disadvantageous conditions to enable communication with others. Think about it. Facebook, Twitter, Instagram, TikTok, the internet, cellular phone service. These things are fundamental to communication in global society, and a TON of laws are written to govern their employment/usage. Internet communication just happens to still be pretty early in the stages of its effect on humanity, and as usual the legal world is well behind what those effects are. The effects are finally being felt. I believe my feelings on this subject will become more widespread as people realize how deeply they have been exploited by industry (once again).
I disagree. No one has the right to use facebook/twitter/etc as they wish, or even at all. They're not necessary for modern western society. SMS and phone calls are always an option. We aren't like China where if you don't have WeChat you can't do anything.
On the flip side, then, no government organizations should use Twitter as their primary form of disseminating information. I should be able to get this information without creating an account on these platforms (looking at you, MBTA).
Yeah, I totally believe this -- no government organization should be allowed to post public announcements/information to a proprietary platform gated behind a ToS without also posting that information on publicly-accessible unencumbered locations like a basic, low-resource-usage website.
The forces at play when it comes to communication platforms are not so black and white. I didn't say that I expect to have the inalienable right to use the service. I just expect to have the right to use the service without especially onerous "cost" to me (such as being subjected to privacy-invading surveillance/tracking technology and advertising). If someone goes on there and spouts walls of swearing and racist memes or whatever, yeah, banned.
And, actually, have you tried just not using Facebook for a year? Don't even log in whatsoever? Try it, seriously. I have missed parties, concerts, family gatherings (seriously), news of births, marriages, new homes, major life events (including deaths). I found out my cousin had a kid like 6 months later. I found out a friend died months after it happened. I miss out on the opportunity to partake in things that would have greatly enriched my life. This is the cost to me, personally, by opting out of THE platform that EVERYONE uses. I can't just constantly SMS and call everyone I know asking them every detail of their life, because they exclusively share it all on Facebook. You simply cannot invalidate this very real cost as "yeah well, just use something else".
These huge costs of exclusion are exactly why I believe that I should have the right to access de-facto-standard communication services with software that respects my psychological stability, privacy, accessibility needs (including cognitive), of my choice -- again, as long as that software conforms with proper API usage behaviour. Right now, I'm in a pretty coercive position where I either subject to the objectively-harmful design of the Facebook platform, or face pretty adverse effects to my socialization. That's one reason case where governments enact laws, to protect individuals from these sort of extremely skewed power imbalances.
BTW, I get what you're saying. All these services are tecnically optional. I kinda used to feel that way, until I actually started not using the services that I felt were manipulating and coercing me. Then I realized just how much power these services have over us. I realized these services are optional in just the same way as the telephone and the automobile used to be. Totally still optional. Just mail a letter instead. To me it's like, at this point, as a society, we need to decide whether we care if someone can be seriously cut off from modern society because they don't agree to have advertising shoved in their face, manipulative "algorithmic feeds" selectively shown to them to "drive engagement", and unprecedented surveillance cataloguing their every action 24/7/365.
Probably because literally every single friend and family member of mine is on there and sharing their entire life there (and messaging me) and I can't take part in that. I said in another comment that once a platform provides that degree of communication, certain rights to protect the users should be applicable, to ensure we are able to participate in society without onerous cost to our mental health, dignity or privacy.
If shops don’t like shoplifters, they should stop putting products on shelves where anybody can just take them and walk out - it’s dumb to get the police involved to keep sustaining this obviously-flawed business model.
Stores DO lock stuff up. Nevermind that shoplifting is barely even a concern for most large stores, as they lose significantly more to other means of "shrink"
Why are first parties serving unauthorized API requests? If the API request is unauthorized, surely the proper response is "401 Unauthorized" and not "all the data you asked for, but then I'll find the people who helped you and get mad at them"?
The problem here is that Meta wants to plug things into the internet and then control who gets to ask for those things. This is not how the internet works, at all. If you don't want third parties accessing your APIs, lock them down.
I'm willing to bet the instagram app already signs their api requests to make sure they're coming from the app. Third party apps are reverse engineering that. If you try to send a request without those headers, it'll very likely give you a 4xx code.
You can reverse engineer it all you want, the issue is when you publish something that interacts with a remote resource in a way that the owner of that resource did not allow you to.
While I mostly agree with you, banning the personal accounts from their *team* is a bit much. Specially considering how that also includes access to Instagram, and WhatsApp, WhatsApp being the biggest issue here since in many countries that is considered a way of conducting business.
By that logic, every employee of Apple/Google/Meta or at least the ones working on related projects should be handled a fine every time Apple/Google/Meta gets fined by the EU for breaking the law/abusing its position? The are violating the law after all.
You can put whatever you want in a contract, and the other party can sign it, but that is not enough for it to be valid. Contract law usually has call outs against obviously absurd, overreaching, or "I own everything and anything" clauses
> WhatsApp being the biggest issue here since in many countries that is considered a way of conducting business.
Absolutely the best reason why businesses should move to Signal. Imagine if your business gets cut off from Meta products, or if at any moment some of your customers get cut off.
Facebook is an extremely limited and poor platform for representing a business, and it too should be avoided for the same reasons (and for being such a garbage fire in general).
Why shouldn't I be able to uae the software of my choosing? If i habe an account and have properly authenticated, the client I use is my choice.
You can't reasonably make the "go elsewhere" argument with the monopoly hold FB has on much social data. We need to choose yo regulate them and others to force interoperability, or at the very least allow comcom explicitly (competitive compatibility).
Because your access to their API is conditioned on an agreement not to use unauthorized clients. You are free to use the software of your choosing in conjunction with your own computers, but not necessarily with everybody else's.
What's an unauthorized device? If I fork chromium and make my own browser what makes it authorized or unauthorized? If I make a CURL request from my terminal is that authorized or unauthorized?
If FB blocked any requests from Firefox Focus they'd likely be in hot water from government agencies.
This kinda is how freedom works though. You're free to use whatever client you want, and Meta is free to implement API in a way that will not allow your client to call it.
So I should be able to steal from my neighbor because that's true freedom? Because you're using their resources and servers in a way they didn't authorize.
They don't though. They're giving the data to the original client, not to the third party one. They're free to choose who they're giving the data to and you accept those conditions by using their product.
They gave you the data conditioned on an agreement not to use unauthorized clients, the same way any number of real-world businesses "give" you things subject to conditions, like the waffle maker in the hotel lobby which requires you to stay there overnight to use it.
What if your neighbor lends you a book, subject to the condition that you only read it to your sons, not your daughters? Are you stealing if you read it to your daughters anyway?
I think the perspective here is a very interesting one. Typically, such transactions are seen as between a user and a service provider. There is an agreed-upon protocol, and so long as everyone sticks to the agreed-upon protocol, the exchange can be successful: this is the basis of Email, the Web, etc.
Taking aside advertisement for a moment, what you're suggesting is that the level of control should go as far as which clients are allowed to speak a given protocol. This would be similar to the landline system during the monopoly days, where you were only allowed to connect an officially-approved phone (with a correspondingly high ongoing rental cost) to the copper lines.
From my perspective, there is no 3rd party involved here: there is an API surface which is developed and supported, and there is a client/customer who is interacting with the service through that API. Advertising either needs to be implemented into the API (good luck--see the demise of RSS), or the 1st party needs another business model.
> Additionally, some apps are only monetized through advertisement, and 3rd party apps don't display them. How do you expect the 1st party to stay in business?
Ad blockers are already a thing. Should they be forbidden?
My position is that if a website uses anti-adblock and you're using an adblock, circumventing it isn't okay. You're free to use a different website.
Now, one could argue that by displaying ads in the first place, using an adblock is circumventing something therefore it isn't okay (basically remove one layer of abstraction from the previous sentence). That's also a fair position, but not mine because of entirely selfish reasons (it's inconvenient to me and non-adblock users are subsidizing my use of those websites).
One could argue that allowing adblock users is a strategic decision in hopes they can spread the use of the website and payoff their "debt" that way. I operate web games and I allow adblock users for that reason.
> That's also a fair position, but not mine because of entirely selfish reasons (it's inconvenient to me and non-adblock users are subsidizing my use of those websites).
That's fair - you are knowingly subsidising adblock users. If you don't want to subsidise adblock users, you're free to use a different site.
I don't think there should be "freedom of business model". We aren't obliged to respect and comply with your choice of way of getting rich. If your business model is dependent on people looking at you in the "right" way then tough luck.
I don't think there should be "freedom to use my stuff but my ignore rules" model - if a person (ot a company) is providing a service, they should be able to do it the way they like. Don't like the rules? Don't use the service.
It there was fraud invoved, one party may get damage/compensation.. But forcing someone to provide service is just not right.
(With the exception of monopolies of course. Let's regulate them.)
Should your power company be able to impose a rule on you that you must not plug any Samsung-branded appliances into any outlets in your house? Re your "monopolies" parenthetical, what if you live somewhere where you can pick what company generates your power? Would this be okay in those places?
Nobody has a monopoly on power generation, $30k can get you a self sufficient solar setup so obviously power companies should be allowed to create whatever conditions they want...... /s
Exactly - until legal action happened. I think internet user rights have a LONG way to go, and I can only pray that stuff like "forced to look at insipid, manipulative advertising so you can continue to talk to your family" may indeed become a thing of the past.
I currently have an Inbox of multiple messages from family members awaiting me, except I refuse to log into Facebook to view them. The only remaining notification email I have left enabled for Facebook is exactly that -- private messages. This way I can contact the relevant person elsewhere and ask them what the message was. This is the kind of "bending over backwards" I have to do to avoid the surveillance-capitalism crap I'm coerced towards by these platforms that can do essentially whatever they want AND demand exactly how we are _allowed_ to interact with them. Why can't I use an unofficial Facebook Messenger client and read the <100 bytes of communication my family member wanted to send me? Ahh yes I have to agree to a hundred-page ToS and subject myself to ads and privacy-invading user tracking to see those few bytes. This is fine.
That's exactly what phone companies used to do, and they only stopped when the government made them stop. It was more profitable for them, at our expense.
AFAIK you've always been able to bring your own phone. They just wouldn't unlock your subsidized phone after the contract ended (which I find unfair, but it's in the contract people signed, so...). Regardless, I think this line of thought is becoming too off-topic.
Why should the first party be serving content to people using third party apps that generate them no revenue? Just like websites are free to block adblock users, app apis should be free to block third party app users.
They do. Many of them expect Chrome. While Safari and Firefox are now much better supported than years past due to most sites complying with web standards, I still see some annoying incompatibilities here and there with older finance websites. I didn’t like it, so I switched to a larger bank. Your argument would have more teeth if meta had a monopoly. It doesn’t
I don't think the same set of interests are in play there. Phone companies have a government granted monopoly on things like wireless spectrum and public rights-of-way for wiring and other infrastructure, not to mention subsidies and tax breaks.
I can't come up with a good justification why a private company on the Internet cannot dictate how you interact with them. Facebook isn't infrastructure.
Rules about things like DRM already have carve outs for "interoperability". A big example is back in the 90s, EA didn't like the rules Sega made for putting games on the MegaDrive/Genesis, so they did some reverse engineering work and made their own cartridges that worked great. Sega took them to court and got smacked down pretty hard, basically invalidating their entire anti-copy strategy.
We should push for MORE of the above, not less. We should push for laws that HELP people use the things they have, instead of locking them out of their own property. If Facebook doesn't like people trying to access their own content, Facebook shouldn't have built a business on everyone else's content. Nobody forced them to do that.
EA making games for MegaDrive/Genesis doesn’t cost Sega any money. You using the api without ever seeing any ads will actively cost Meta money. Not the same thing.
I agree that it's not the same thing, and I don't know offhand about the MegaDrive/Genesis in particular, but game consoles have often been sold at a loss with profit made on sale of games. If that was true for Sega at the time, anyone EA making games that motivate sales of Sega consoles but no purchase of Sega (or Sega-licensed) games would absolutely be costing Sega money.
I make no particular comment, here, on whether we should be defending that business model.
"How do you expect the 1st party to stay in business?"
Here is a different way to look at what is going on lately in the short history of the internetowrked computer. To me, there is no legitimate "business". Meta cannot charge IG users a fee. They will not pay. If they would pay, then why not charge them. Instead Meta exploits IG visitors by spying on them. Advertisers will pay. Third parties will be interested in the data Meta collects. What Meta is doing with FB, IG or WhatsApp is not legit "business" IMHO, because, IMO, a business generally produces something of value that people pay for. Generally, Meta does not do that.
Newspapers sold advertising, but people were willing to pay for newspapers. Because newpapers produced something of value. They employed people to produce a product that people paid for: journalism.
Meta does not employ people to produce something of value that people will pay for. The content on these apps comes from the people who use them, and from journalists emplyed by newspapers, but not Meta. Meta make people the product, access to and data on which they sell to paying customers. Websites and apps are not "products". In this "business" the people who use them, their behaviour and the details of their lives, are the product.
A kid's lemonade stand looks more legit as "business" to me than a "tech" company producing so-called "products" that are given away for free, as bait. These are not the product that customers pay for, that no one likes to talk about.
Billboards owners sell advertising. They own or lease real estate with high visibility to traffic. It is difficult to avoid billboards because we generally use the same paths to travel in physical space. As such, billboards are regulated. Not everyone with land adjacent to high traffic routes can erect billboards. See, e.g., Highway Beautification Act of 1965.
Perhaps Meta is like a billboard company in a world that has yet to regulate billboards. IMO, Meta is far more of a hazard to life than a billboard is to the beauty of a highway. Meta does more than display advertising to people who use their websites and apps. Meta's "business model" is a threatening the stability of society. If it is allowed to continue, it should be heavily regulated.
Imagine someone telling you, "If you don't like the billboards, don't look at them." Or "If you don't like the billboards, don't use the highway." It is not so simple. Now imagine Meta tells you, "If you don;t look at the billboards, you cannot use the highway".
Meta is obscuring the true potential of the internet. It has given the internet a bad rap. Meta is not the internet nor its potential to improve people's lives anymore than billboards are the scenery. If left unregulated, billboards can obscure the scenery and eventually they can destroy it.
If you want to use their apps so badly to connect with friends and family, it seems like they’re providing you with legitimate value. Your payment is being exposed to their ads. This is a legitimate business.
Billboards are regulated because they’re inevitable. You’ll see them just walking around. On the other hand, no one is forcing you to use Facebook nor Instagram.
Every time this kind of thing happens I just remember how much bigger Twitter got with the help of third-party clients, and then implemented terrible login token limits to prevent any from becoming as good as their own offerings once traction picked up.
Yup! As a Twitter user since 2007 I've watched as 3rd party clients were superior by far (TweetDeck was still my favorite), and have now been left in the dust as Twitter leaves them for dead by cutting off API features to them. Twitter itself has never made a client as good as TweetDeck or TweetBot, and invariably never will.
Ok, that’s fair, but how should the platform be compensated for the resources expended by the users or developers in question?
Would you be ok with a usage plan? Something like $1 per 10,000 tweets read? I mean, the developer could save money by caching the most popular tweets and serving them from their cache, I imagine they’d have to charge for that infrastructure though and somehow they would pass the costs into the user. Maybe the could offer a monthly plan, with some kind of fixed cost that would keep most users fed with tweets while also not making uses worry about usage based billing.
Maybe Twitter/Insta/whatever could just require you to have a paid plan to use 3rd party clients?
Sure, that's fine by me. Or even "video content is restricted to 240p unless you have a paid subscription, then you can see videos in 1080p". Right? It's 1000% possible to come up with totally fair business models that aren't so blatantly exploitative. Right now "the user is the product" on ANY free service.
Previously there was App.net, which was effectively "Twitter but you pay for access". It had a free tier which had very reasonable limits. It was actually super awesome, and it actually provided a whole identity platform, enabling 3rd party applications of different kinds (for example an Instagram-like, Favd[0]). Unfortunately it didn't pan out, not sure the whole backstory, but it was a really amazing platform and I would love to see more internet services like that.
That would be awesome. Right now, you usually get an even less favorable choice than that! For example with Spotify, you either use their app and see ads, or you pay and don't see ads, but still are forced to use their app.
That is probably a licensing requirement for the providers of the music. They likely require some form of DRM in their agreement with Spotify.
If anyone could make an App, how would Spotify be able to properly track song plays and whatever else they need in order to pay the rights holders?
Plus, someone would end up creating a 3rd party client that silently plays some song, unbeknownst to the user, in order to rack up plays and earn more money.
> companies should be legally forbidden from blocking 3rd party clients
While, in cases like this, I agree with you, I think there needs to be nuance to a rule like this.
Consider what would happen in the reverse case. A competitor arises to some aspect of Facebook's services—say, an app that does something kinda like Instagram, but not quite—and becomes somewhat popular.
Facebook adds support for accessing this competitor's service from their own app—look how convenient! You don't need to download two apps, just our app!
They replace the ads from the service maker with their own, thus starving them of revenue...or they just wait until some critical mass of users access the other service through their app, then offer free and easy migration from the other service to their own. Then they start introducing UX problems with the other service—oh, but it's not their fault. It's because of changes to the API or ToS of the other app!
In short, if this sort of thing is mandated universally, it simply tips the scales back in favor of the behemoths already ruling the roost, who can afford to build support for a dozen competing apps right into their own, and use the good old Embrace, Extend, Extinguish (or any similar playbook) to make sure the competitors die of asphyxiation.
If you've ever worked on an online service, you might realize that what you ship for the client is almost irrelevant -- it can all be reverse engineered and an unofficial client can _always_ be created. This happens for all online services, even if it's just someone's data-mining app running on a local machine. The number one rule is "never trust what comes from the client", because it's trivial to create carefully-crafted network calls to basically do whatever the API allows (and sometimes more than what was supposed to be allowed).
So, obviously 3rd party clients are thus able to perform malicious acts, but existing laws already forbid this.
My suggestion to ensure 3rd party clients are always legally permitted isn't mutually exclusive with existing laws protecting the creators of services and software. :)
I haven't read it thoroughly, but given the App Attest service runs on the OS, why can't someone just find the certificate for it hidden somewhere and use that to sign fake attests in userland? This is just an extra layer of obfuscation. It doesn't prevent someone from faking api calls with no app (or phone) involved.
Given that this only runs on certain Apple hardware, I wouldn’t be surprised if the Secure Enclave holds that certificate and can confirm at an extremely low level that it is being used only to sign a hash of of the app code itself and a shared secret with the app developer.
Brilliant, in a scary way. In a way it makes data portability regulations all the more important.
It generates a public-private key pair that is stored in the secure enclave, then it sends that public key (or the hash maybe) to Apple for them to sign. The rest of the stuff is as you expect.
One could simply figure out how the request to apple is made to get them to sign a key, and that's that. Get them to sign a key and pretend to be the app from now on.
I guess this prevents spam from someone signing thousands of keys using a specific phone's serial number, though. Assuming there's an unique public-private key for each phone apple makes, one can't simply get them to sign keys with random serial numbers.
The way these schemes usually work is that the pairing is done at the factory. Apple switch the iPhone on for the first time as it's being made, it generates a private key that never leaves the secure chip and then presents the public key. The public key is then signed to create a certificate chain and the certs handed back to the device for storage.
So, there's no way to beat it except by extracting a private key, or by using some software exploit to confuse it into signing the wrong thing.
You don't need to extract the private key though, just use it to sign things. So if you have shell access on the phone, you can tell the SE to sign the request you want.
Only to some extent. Apple work very hard to prevent that from being possible, and it's not necessarily signing just anything the app processor sends. Usually this stuff is integrated with the bootup process.
It isn't true for iOS devices, perhaps. I refuse to run an OS that supports such nonsense. Right now a custom Android rom is sufficient. In the future I expect I'll be moving to one of the Linux distros once they have better support for mobile.
"Never trust the client" is true, but in practice, some control over the client still helps reduce abuse if you make third party clients a lot harder (eg remote attestation.)
back when MechWarrior Online was still pretty new, I reversed the login app (100% .Net, very little obfuscation) which allowed me to access test servers that were testing an unreleased map. Fun times
This seems a bit unrelated but I'll chime in with my opinion.
Unfortunately for some types of games (first person shooters), a modified client can be game ruining for other players. For me, as long as it's only running while the client is running, and doesn't send private data remotely, I'm okay with it.
At least on Windows there's not much difference in terms of privacy of something running in the kernel vs userland in the same user as your important documents. It can read your entire filesystem and attach to running apps anyway without needing kernel access. So the "in your OS kernel" part is only concerning if their anti-cheat is coded poorly enough to cause a BSoD.
It prevents the more amateurish cheats, which by itself reduces cheating in the community by a lot. Obviously in these kind of games, active policing is the only way to find the most sophisticated cheaters. But the anti-cheat does help.
Well, if valid uses for clients are outlawed then the only people buying clients will be the ones trying to abuse the system. So really all the policy does is change the market.
> Meta isn't some utility people can't live without.
This is not true for large parts of society.
There are many institutions which force you to communicate via facebook, so not having access to it means you're locked out of parts of your real life.
This is horribly wrong by those institutions, of course, but here we are. It should be illegal, but isn't yet.
Ask them to use something else, or get an exception by explaining that you were banned. It isn’t endemic and there are always options. After the Cambridge analytica scandal, Facebook no longer has unbreakable mindshare. This is especially true the younger the generation
>Ask them to use something else, or get an exception by explaining that you were banned. It isn’t endemic and there are always options
Good luck if it's a business or public org. Why change their process for what amounts to a minority of customers? It's not worth the cost. Whether these people can't do business with them despite these services being essential to everyday life... well tough luck for them I guess?
Own example: in $COUNTRY almost all banks use either their app or Viber to send 2FA. I refuse to use Viber out of principle, and also their app refuses to work on phones that don't use Google services.
Should I be locked out of my banking because of me refusing to support the practices of other, unrelated services that happen to be 'popular'? Note that there is no other way to get the codes - other banks may use SMS but that is expected to be sunset next year and they will switch to the same methods.
IMHO it's disingenuous to say that there are options, when most of the time there aren't any.
It’s not as endemic as you make it out to be or there would be a public outcry.
Banking and social media are also two very different industries. One is essential while the other is mainly bread and circus with a myriad of alternatives
> It’s not as endemic as you make it out to be or there would be a public outcry.
It's a matter of time. Even if it's not endemic in the US (which I severely doubt) it's endemic elsewhere. Don't underestimate the public's ability to put up with things, especially if they are mostly kept in the dark about the most sinister effects.
> Banking and social media are also two very different industries. One is essential while the other is mainly bread and circus with a myriad of alternatives
Both are essential. Social media is what you make of it. It can be bread and circus, yes, but it is also an invaluable tool for communication. Losing access to them can stifle your communication efforts by a lot. Why, you may ask? Because network effect is in full swing: "Phone call? Who still does that? Just use messenger like a normal person". No one's gonna bother to call you or SMS you cause 1) you're not on messenger or whatever app they use and 2) can't be bothered to contact you at your preferred non-app way, when the whole friend group has a group chat from which every single interaction and update is broadcasted to everyone. In the end, keeping you in the loop is too much work, and then you start missing out on outings etc. And even if you somehow persuaded all of your friends to use alternative methods of communication, 99.999% of the planet just can't be bothered, especially when they have friends that are reachable over 5-6 different apps, one on each friend.
Facebook’s brand has been all but destroyed. The Quest 2 is prime evidence for that. It’s an amazing device at an amazing price that didn’t have as many adopters due to meta’s past reputation.
Social networks are not an essential service. There are other social networks and there are other forms of communication including SMS which is standard on all phones. If you’re not willing to pay for a better service like iMessage instead of an ad supported one, that is your problem
Doesn't meta have an obligation to product users that do want to use their product? This is like saying people should be free to pee wherever they want, if you're worried about the smell, don't walk there.
Actually, the pee analogy fits better with your argument. You’re arguing that people can siphon electricity and use meta’s servers without paying (via ads).
As I’ve already mentioned, meta isn’t a utility that people can’t live without like a phone. If they don’t like it, they should use something else. There are many alternatives
Nonsense, it’s a private company, they can allow or not any access to their platform. I’m not a fan of Facebook in any way, but they have the right to do this, and ban users for their own reasons. Don’t like their policies? Don’t use the service, I don’t.
> There's no reason I should have to be subjected to untold tracking, snooping and advertising functionality to be able to post or look at photos and comment on them.
Of course they should be able to block 3d party clients. Just because it's technically possible to hijack an API, doesn't mean it's legal or ethical. If you don't want to be tracked, don't use Instagram.
However, Meta blocking the developers fb accounts is basically harassment. Let the courts sort it out if their app is illegal. Meta shouldn't take things into their own hands.
>Of course they should be able to block 3d party clients. Just because it's technically possible to hijack an API, doesn't mean it's legal or ethical. If you don't want to be tracked, don't use Instagram.
This is the bit that's confusing to me.
If I want to access my FB/IG/whatever content, and present my credentials to the server along with a valid request for my data, why should Meta care how I do so?
I could be using nc[0] piped through openssl, rather than a web browser (do you believe Meta can mandate which browser you use and/or what add-ons/extensions it runs?). Is that "hijacking" the API?
If the answer to that question is "no," then shouldn't I be able to write my own client, to access my data, too? If you think I should, then how are either of those (nc, write my own client) really different from using software written by someone that's not me or Meta, as long as I (providing authentication/authorization for my own access) use it to access my own data?
The data served via the API is ultimately what's displayed on the screen of the official client - if they're displaying it to you, they're happy for you to be seeing it and it shouldn't matter whether you're seeing it in the official client or third-party.
That's not how it works. If a badly configured NSA server displays confidential data on your screen, you're still a criminal if you make use of that to access data.
> it shouldn't matter
According to? That's an ethical stance one can take, but it isn't how our laws work.
>According to? That's an ethical stance one can take, but it isn't how our laws work.
What law? Please be specific here as I'm not clear what you're getting at.
If you're referring the Computer Fraud and Abuse Act (CFAA)[0], it states:
The law prohibits accessing a computer without authorization, or
in excess of authorization.
WRT NSA servers, accessing classified information (assuming you don't have clearance and/or a need for that information) would violate the CFAA and possibly the Espionage Act[1].
However, in this particular case, an end user is accessing data (with appropriate credentials that have access to no more and no less than the data they are authorized to access) for which they have appropriate authorization. As such, it can't be a violation of the CFAA. So, where's the "crime" here?
I'm not sure how you're getting from point A to point B here. If you could help me out, I'd appreciate it.
> If a badly configured NSA server displays confidential data on your screen, you're still a criminal if you make use of that to access data.
If a badly configured NSA server gives you data, intentionally accessing it (and/or then misusing the data) would be the crime. I don't think it matters whether you view that data in a browser, a terminal or some third-party client.
Here, the third-party client is accessing the exact same data the official client is. It's not bypassing any access control, in fact it needs your credentials to be able to access the data you're authorized to view.
> According to? That's an ethical stance one can take, but it isn't how our laws work.
I'm not even sure if a law has been broken here? Breach of ToS != crime. As far as I know there is no unauthorized access taking place - the unofficial client is using your credentials to legitimately access the same API as the official one does; it's not giving you any extra data that the official client doesn't.
Of course it wouldn't be a breach if the data just popped up on your screen without you actively trying to access it.
But if you, knowingly, access material you shouldn't have access to, it could be a breach of ToS.
> Breach of ToS != crime.
Breaching a contract is not generally a crime either. But it might lead to a civil case.
>The data server via API isn't yours, that's FB's data. You can download YOUR data via a page on the FB site.
Just to clarify, that means your answer to the question:
I could be using nc[0] piped through openssl, rather than a web
browser (do you believe Meta can mandate which browser you use
and/or what add-ons/extensions it runs?). Is that "hijacking" the
API?
Would be "yes." Is that correct?
If so, please consider what that means for your property rights.
Devil's advocate: you see a ToS when using service for the first time. If that ToS is not illegal in your jurisdiction - you may either accept it, or abstain from using the service. How are you eligible to use any service beyond their ToS? It's like a private club: adher to the rules or go find another club. Or, even better, open your own.
I agree with you wholeheartedly. However I can't resist shilling self hosted alternatives here.
> There's no reason I should have to be subjected to untold tracking, snooping and advertising functionality to be able to post or look at photos and comment on them.
Stand up your own PixelFed instance for your family and friends today!
