Why should 3rd parties be allowed to make unauthorized api requests?
Additionally, some apps are only monetized through advertisement, and 3rd party apps don't display them. How do you expect the 1st party to stay in business?
I don't align with Meta on a lot of issues, but they should be able to control what apps interact with their platform. Don't like it, don't use it.
The 3rd party is not making the API request though. I am, just using software that didn't come from the platform vendor.
Many 3rd party twitter clients have expressed a willingness to display ads if provided an API to do so.
As someone who has lost precious accessibility capabilities because of restrictions on 3rd party clients, I unfortunately have to point out that I don't really have a choice of what platforms I do or don't interact with in a lot of cases. I wouldn't stay at my job for very long if I didn't tolerate Slack's BS, for instance.
Let me offer you a question then: Do you know how much data the OG App is taking from you while you authorize it to work on your behalf? How do you know it's not reading through your entire message history? Or building its own network graph of your friends to sell? How about security? How do you know it's securely storing your credentials? Or that it's not selling said credentials as well?
Like in this scenario to Facebook it is in theory effectively you. Not the app operating on behalf of you with a limited set of permissions.
Yes, people can and will write malicious programs. Those will sometimes take the form of third party clients for a service. That is not and will never be a valid argument against them being allowed to exist. Monopolies are not ok. Abusive behavior by the dominant market players isn't ok.
Yes, but my point is that said clients should have to talk through properly secured APIs and required by law. Until then, an app like this is a massive, MASSIVE security risk and I would question the sanity of any team that saw something like this and ignored it.
> should have to talk through properly secured APIs
I don't follow what you mean by this. The API endpoints that a company provides ought to be secured properly. In practice they might or might not be but obviously they ought to be.
I don't see what that has to do with third party clients though. A third party client is stuck interacting with whatever API the company provides, however secure or insecure it might be.
I mean from another perspective this is effectively a MITM style way of interacting with Meta's API. They are behaving as another unauthorized layer between the user and Meta's API. In actual secure systems involving third party clients the client usually authorizes itself on behalf of some user requests or permissions, so while it does things for the user there's a clear and secure delegation of permissions.
Have you done much work with authorization? To put it in another way let's say there was a website that said it authorized with Steam. It asked you to put in your steam username and password. Is this secure?
Now let's say that same website instead redirected you back to Steam (properly) and requested authorization on behalf of you. Is this secure?
> To put it in another way let's say there was a website that said it authorized with Steam. It asked you to put in your steam username and password. Is this secure?
"Is this secure?" fully depends on what the attack vectors you're considering are. Breach of the server's database? Make it an app instead of a website and make requests directly. Malicious code in the client itself? Make it open source. Now it's even more secure than the official client.
But regardless of all of this, how is it any of the service provider' s business what I do with my login details? It's my data on my account. If I use it in an insecure fashion, that's my problem. I am free to post my login details on Twitter for everyone to see, so why can't I put them in a database on some russian dude's basement server?
Moreover, exactly how does said 3rd-party app differ from a web browser? Is it not a 3rd-party that has full access to login credentials, cookies, etc? Do they prohibit certain browsers from using their websites and APIs?
This might not be the response you expected, but the app is only a security risk because it's not open source, and you can't audit its changes when you install an update. :)
In this case the risk you take doesn't matter (though I argue from a security standpoint this is something you should really care about in any argument around Meta), it's the risk Meta takes by allowing it. Because if the company takes your data and runs, Meta is the one also on the hook for not securing their APIs. If it turns out they're farming passwords from users to sell to whatever group ultimately the class action lawsuit will come out with knives facing Meta.
Like this is a security problem, straight up. I would hope that you can agree on this and that not securing your API is bad.
What do you mean? On what planet is it a provider's fault if a third party farms logins through a custom client. It's not their fault if I get phished, if the little booklet I store my passwords in under my pillow gets stole, if my computer is infected with a RAT... so why would it be in this scenario?
I only got a few posts into the thread before Twitter booted me out for not having an account, so maybe there's some context I'm missing, but what kind of "not securing your API" are you talking about? The fact that a thir party, explicitly authorized the the user, was able to make actions on the user's behalf, doesn't make it secure, it makes it functional.
> Cambridge Analytica then arranged an informed consent process for research in which several hundred thousand Facebook users would agree to complete a survey for payment that was only for academic use.
> However, Facebook allowed this app not only to collect personal information from survey respondents but also from respondents’ Facebook friends.[13] In this way, Cambridge Analytica acquired data from millions of Facebook users
FB gave them data about friends, when it was supposed to only give them data about respondents. Totally different situation.
Yes, the reason this happened was that when a user authorized the Cambridge Analytica app, it would have the ability to view information about all of that user's friends. Sound familiar?
The fault was not in anything CA did, even though I think what they did was bad. The fault was in Facebook letting clients access more data than you authorized them to.
If I approve an access request for a low level engineer to get a single repo from github, and github lets them access every repo on our orgs account, that's a huge fuckup by github, not me.
No, not even remotely similar. A user authorized CA to see their data for the purpose of a research suvey. CA got more data than the user thought they were giving them. With a custom client, the user is giving the client their account for the purpose of accessing all of Facebook through it. The client is getting exactly what the user is giving them and it makes perfect sense that it needs it.
By this logic, it should be illegal / a breach of contract for you to run an ad blocker, since the company may not make money? Should you also be forced to look at ads and not switch channels while they're on TV, with the channel being free to cut access if they find you haven been looking at the ads they serve?
This logic really bends over backwards to support FB's and similar business models.
Rather than just blocking the request for the ad, if an ad blocker allowed the requesting site to make the request for the ad but then just sent the data to the browser's equivalent of /dev/null, I'd be fine with that as long as I never had to see/hear the ad.
This is of course ripe for abuse, but that's just synonymous for digital advertising in general. I don't consider it any different than me hitting mute on the TV during ad breaks or getting up and going to another room during that break.
If you don't think sites have a fundamental right to push ads to sustain themselves (as I don't), then blocking the request is the best place to do it for performance reasons.
But even if you do believe in that right - the site and advertiser care about a single thing: a human being seeing the ad. Serving the Ad request is not just useless for their purpose, it is actively costing them money, and potentially muddling their data.
Doing that is borderline fraud - I believe that GP meant to highlight this. If it gets counted as actual clicks, it's actually explicitly defrauding the advertiser.
Most people sometimes leave the room while ads play on TV. The advertisers know that and work the percentage of pepole that do that into their pricing, etc.
Also, non-organic click fraud is rampant already (and maybe even the majority of clicks). /dev/null + click would at least route ad income to reputable sites that at least have some human readers to view future ad impressions.
There is a difference between you ignoring ads as a user, or an adblock tool removing the ads entirely, and a tool that explicitly tries to make it look as if the user is interacting with the ads. The last tool is actively malicious and deceptive in a way the others are not.
I never meant to imply clicking the ads in order to get fake clicks. What I meant was for any ads posters/videos that are loaded during page load to go ahead and load them BUT don't display them. This gives the website the impression count, but no fraudulent click throughs. This was how I was equating it to walking out of the room during broadcast commercial breaks.
Yes, if a website clearly stated that by accessing the content of the webpage you agree to not use an adblocker while doing so, that could well be legal depending on the circumstances. Enforcing it would of course be difficult.
If you found out Netflix actually streams their content from a public endpoint. You would not be legally allowed to take advantage of that.
No one should be able to control what apps interact with their platform. Companies should have exactly zero control over how people interact with endpoints they open to the internet and it should be illegal and unenforceable to try to create any contractual obligations about how someone interacts with your APIs.
Cheers, I have never before heard anyone else say these points I've been arguing (without me saying it first, at least). I feel a real sense of relief not being the only person "in the room" to say this, for once.
I don’t see any reason that fair use limits or blocking interactions that behave like attacks should be incompatible with allowing and not penalising the use of third party clients.
I want to preface this with that I agree with your point that DOS is abuse and not actually trying to use the platform.
I disagree with calling the question ridiculous. If we’re involving legality like the poster up thread implied with making this illegal then there needs to be some sort of test or rule put in place on what constitutes illegal activity. We currently don’t have one and whenever a new rule is put in place you quickly find out that there is a significant chunk of people who would find anything you think is obviously wrong to be obviously right and vice versa
And using their servers and resources without generating them any revenue is not abuse? They clearly don’t want you to run a third party app without ads, yet you feel entitled to it?
No, it's not. In this case, abuse is about intent: DOS intends to cause distress, losses and denial of service to others. Use with third party apps without adds intends none of this: the intent is to use something else to access the service in an otherwise normal (to the user) way.
Arguably third-party apps that are scrapers are somewhere in between these two in acceptability, but that's a question of "are scrapers morally fine and should they be legally allowed", not a question of whether third party clients are to be allowed at all.
If I access your API I’m using your server because you offer it publicly. That is not abuse.
The distinction is about whether you should be able to offer something publicly, taking advantage of public infrastructure to do so, and then make demands about what the public do with that.
Companies want to do the electronic equivalent of putting copyrighted media on a billboard in a public square then claiming you need to sign a contract to look at it and then only through special glasses they provide.
I think I should have the legal right to access private messages addressed to me by family members via the service explicitly designed to facilitate private communication between friends and family members. I don't think I should be forced to see advertisements and be subjected to historically-unprecedented surveillance to read those couple hundred bytes of text from a family member.
When a platform's primary purpose is communication, certain legal rights should be invoked immediately. In my opinion, one of those rights should be the ability to access those communications by any 3rd party client that doesn't intentionally function maliciously. How "proper 3rd-party client behaviour" is evaluated can be a problem for the industry to solve. They have the $trillions to figure something out. I think they'll survive.
The argument "don't like it, don't use it" isn't a very reasonable argument when, socially speaking, you "have" to use a given service (usually the regionally-omnipresent service) to be included in society. Communication is the foundation of society and of human existence. I miss out on a shocking and honestly depressing amount of social activity because of my boycotting of FB, IG, WhatsApp and other similar services.
I expect that our ability to communicate is carefully protected and treated as something crucially important. There's a reason there are SO MANY commercial services around communication and they are largely the most lucrative, because everyone NEEDS to communicate. People will subject themselves to extremely disadvantageous conditions to enable communication with others. Think about it. Facebook, Twitter, Instagram, TikTok, the internet, cellular phone service. These things are fundamental to communication in global society, and a TON of laws are written to govern their employment/usage. Internet communication just happens to still be pretty early in the stages of its effect on humanity, and as usual the legal world is well behind what those effects are. The effects are finally being felt. I believe my feelings on this subject will become more widespread as people realize how deeply they have been exploited by industry (once again).
I disagree. No one has the right to use facebook/twitter/etc as they wish, or even at all. They're not necessary for modern western society. SMS and phone calls are always an option. We aren't like China where if you don't have WeChat you can't do anything.
On the flip side, then, no government organizations should use Twitter as their primary form of disseminating information. I should be able to get this information without creating an account on these platforms (looking at you, MBTA).
Yeah, I totally believe this -- no government organization should be allowed to post public announcements/information to a proprietary platform gated behind a ToS without also posting that information on publicly-accessible unencumbered locations like a basic, low-resource-usage website.
The forces at play when it comes to communication platforms are not so black and white. I didn't say that I expect to have the inalienable right to use the service. I just expect to have the right to use the service without especially onerous "cost" to me (such as being subjected to privacy-invading surveillance/tracking technology and advertising). If someone goes on there and spouts walls of swearing and racist memes or whatever, yeah, banned.
And, actually, have you tried just not using Facebook for a year? Don't even log in whatsoever? Try it, seriously. I have missed parties, concerts, family gatherings (seriously), news of births, marriages, new homes, major life events (including deaths). I found out my cousin had a kid like 6 months later. I found out a friend died months after it happened. I miss out on the opportunity to partake in things that would have greatly enriched my life. This is the cost to me, personally, by opting out of THE platform that EVERYONE uses. I can't just constantly SMS and call everyone I know asking them every detail of their life, because they exclusively share it all on Facebook. You simply cannot invalidate this very real cost as "yeah well, just use something else".
These huge costs of exclusion are exactly why I believe that I should have the right to access de-facto-standard communication services with software that respects my psychological stability, privacy, accessibility needs (including cognitive), of my choice -- again, as long as that software conforms with proper API usage behaviour. Right now, I'm in a pretty coercive position where I either subject to the objectively-harmful design of the Facebook platform, or face pretty adverse effects to my socialization. That's one reason case where governments enact laws, to protect individuals from these sort of extremely skewed power imbalances.
BTW, I get what you're saying. All these services are tecnically optional. I kinda used to feel that way, until I actually started not using the services that I felt were manipulating and coercing me. Then I realized just how much power these services have over us. I realized these services are optional in just the same way as the telephone and the automobile used to be. Totally still optional. Just mail a letter instead. To me it's like, at this point, as a society, we need to decide whether we care if someone can be seriously cut off from modern society because they don't agree to have advertising shoved in their face, manipulative "algorithmic feeds" selectively shown to them to "drive engagement", and unprecedented surveillance cataloguing their every action 24/7/365.
Probably because literally every single friend and family member of mine is on there and sharing their entire life there (and messaging me) and I can't take part in that. I said in another comment that once a platform provides that degree of communication, certain rights to protect the users should be applicable, to ensure we are able to participate in society without onerous cost to our mental health, dignity or privacy.
If shops don’t like shoplifters, they should stop putting products on shelves where anybody can just take them and walk out - it’s dumb to get the police involved to keep sustaining this obviously-flawed business model.
Stores DO lock stuff up. Nevermind that shoplifting is barely even a concern for most large stores, as they lose significantly more to other means of "shrink"
Why are first parties serving unauthorized API requests? If the API request is unauthorized, surely the proper response is "401 Unauthorized" and not "all the data you asked for, but then I'll find the people who helped you and get mad at them"?
The problem here is that Meta wants to plug things into the internet and then control who gets to ask for those things. This is not how the internet works, at all. If you don't want third parties accessing your APIs, lock them down.
I'm willing to bet the instagram app already signs their api requests to make sure they're coming from the app. Third party apps are reverse engineering that. If you try to send a request without those headers, it'll very likely give you a 4xx code.
You can reverse engineer it all you want, the issue is when you publish something that interacts with a remote resource in a way that the owner of that resource did not allow you to.
While I mostly agree with you, banning the personal accounts from their *team* is a bit much. Specially considering how that also includes access to Instagram, and WhatsApp, WhatsApp being the biggest issue here since in many countries that is considered a way of conducting business.
By that logic, every employee of Apple/Google/Meta or at least the ones working on related projects should be handled a fine every time Apple/Google/Meta gets fined by the EU for breaking the law/abusing its position? The are violating the law after all.
You can put whatever you want in a contract, and the other party can sign it, but that is not enough for it to be valid. Contract law usually has call outs against obviously absurd, overreaching, or "I own everything and anything" clauses
> WhatsApp being the biggest issue here since in many countries that is considered a way of conducting business.
Absolutely the best reason why businesses should move to Signal. Imagine if your business gets cut off from Meta products, or if at any moment some of your customers get cut off.
Facebook is an extremely limited and poor platform for representing a business, and it too should be avoided for the same reasons (and for being such a garbage fire in general).
Why shouldn't I be able to uae the software of my choosing? If i habe an account and have properly authenticated, the client I use is my choice.
You can't reasonably make the "go elsewhere" argument with the monopoly hold FB has on much social data. We need to choose yo regulate them and others to force interoperability, or at the very least allow comcom explicitly (competitive compatibility).
Because your access to their API is conditioned on an agreement not to use unauthorized clients. You are free to use the software of your choosing in conjunction with your own computers, but not necessarily with everybody else's.
What's an unauthorized device? If I fork chromium and make my own browser what makes it authorized or unauthorized? If I make a CURL request from my terminal is that authorized or unauthorized?
If FB blocked any requests from Firefox Focus they'd likely be in hot water from government agencies.
This kinda is how freedom works though. You're free to use whatever client you want, and Meta is free to implement API in a way that will not allow your client to call it.
So I should be able to steal from my neighbor because that's true freedom? Because you're using their resources and servers in a way they didn't authorize.
They don't though. They're giving the data to the original client, not to the third party one. They're free to choose who they're giving the data to and you accept those conditions by using their product.
They gave you the data conditioned on an agreement not to use unauthorized clients, the same way any number of real-world businesses "give" you things subject to conditions, like the waffle maker in the hotel lobby which requires you to stay there overnight to use it.
What if your neighbor lends you a book, subject to the condition that you only read it to your sons, not your daughters? Are you stealing if you read it to your daughters anyway?
I think the perspective here is a very interesting one. Typically, such transactions are seen as between a user and a service provider. There is an agreed-upon protocol, and so long as everyone sticks to the agreed-upon protocol, the exchange can be successful: this is the basis of Email, the Web, etc.
Taking aside advertisement for a moment, what you're suggesting is that the level of control should go as far as which clients are allowed to speak a given protocol. This would be similar to the landline system during the monopoly days, where you were only allowed to connect an officially-approved phone (with a correspondingly high ongoing rental cost) to the copper lines.
From my perspective, there is no 3rd party involved here: there is an API surface which is developed and supported, and there is a client/customer who is interacting with the service through that API. Advertising either needs to be implemented into the API (good luck--see the demise of RSS), or the 1st party needs another business model.
> Additionally, some apps are only monetized through advertisement, and 3rd party apps don't display them. How do you expect the 1st party to stay in business?
Ad blockers are already a thing. Should they be forbidden?
My position is that if a website uses anti-adblock and you're using an adblock, circumventing it isn't okay. You're free to use a different website.
Now, one could argue that by displaying ads in the first place, using an adblock is circumventing something therefore it isn't okay (basically remove one layer of abstraction from the previous sentence). That's also a fair position, but not mine because of entirely selfish reasons (it's inconvenient to me and non-adblock users are subsidizing my use of those websites).
One could argue that allowing adblock users is a strategic decision in hopes they can spread the use of the website and payoff their "debt" that way. I operate web games and I allow adblock users for that reason.
> That's also a fair position, but not mine because of entirely selfish reasons (it's inconvenient to me and non-adblock users are subsidizing my use of those websites).
That's fair - you are knowingly subsidising adblock users. If you don't want to subsidise adblock users, you're free to use a different site.
I don't think there should be "freedom of business model". We aren't obliged to respect and comply with your choice of way of getting rich. If your business model is dependent on people looking at you in the "right" way then tough luck.
I don't think there should be "freedom to use my stuff but my ignore rules" model - if a person (ot a company) is providing a service, they should be able to do it the way they like. Don't like the rules? Don't use the service.
It there was fraud invoved, one party may get damage/compensation.. But forcing someone to provide service is just not right.
(With the exception of monopolies of course. Let's regulate them.)
Should your power company be able to impose a rule on you that you must not plug any Samsung-branded appliances into any outlets in your house? Re your "monopolies" parenthetical, what if you live somewhere where you can pick what company generates your power? Would this be okay in those places?
Nobody has a monopoly on power generation, $30k can get you a self sufficient solar setup so obviously power companies should be allowed to create whatever conditions they want...... /s
Exactly - until legal action happened. I think internet user rights have a LONG way to go, and I can only pray that stuff like "forced to look at insipid, manipulative advertising so you can continue to talk to your family" may indeed become a thing of the past.
I currently have an Inbox of multiple messages from family members awaiting me, except I refuse to log into Facebook to view them. The only remaining notification email I have left enabled for Facebook is exactly that -- private messages. This way I can contact the relevant person elsewhere and ask them what the message was. This is the kind of "bending over backwards" I have to do to avoid the surveillance-capitalism crap I'm coerced towards by these platforms that can do essentially whatever they want AND demand exactly how we are _allowed_ to interact with them. Why can't I use an unofficial Facebook Messenger client and read the <100 bytes of communication my family member wanted to send me? Ahh yes I have to agree to a hundred-page ToS and subject myself to ads and privacy-invading user tracking to see those few bytes. This is fine.
That's exactly what phone companies used to do, and they only stopped when the government made them stop. It was more profitable for them, at our expense.
AFAIK you've always been able to bring your own phone. They just wouldn't unlock your subsidized phone after the contract ended (which I find unfair, but it's in the contract people signed, so...). Regardless, I think this line of thought is becoming too off-topic.
Why should the first party be serving content to people using third party apps that generate them no revenue? Just like websites are free to block adblock users, app apis should be free to block third party app users.
They do. Many of them expect Chrome. While Safari and Firefox are now much better supported than years past due to most sites complying with web standards, I still see some annoying incompatibilities here and there with older finance websites. I didn’t like it, so I switched to a larger bank. Your argument would have more teeth if meta had a monopoly. It doesn’t
I don't think the same set of interests are in play there. Phone companies have a government granted monopoly on things like wireless spectrum and public rights-of-way for wiring and other infrastructure, not to mention subsidies and tax breaks.
I can't come up with a good justification why a private company on the Internet cannot dictate how you interact with them. Facebook isn't infrastructure.
Rules about things like DRM already have carve outs for "interoperability". A big example is back in the 90s, EA didn't like the rules Sega made for putting games on the MegaDrive/Genesis, so they did some reverse engineering work and made their own cartridges that worked great. Sega took them to court and got smacked down pretty hard, basically invalidating their entire anti-copy strategy.
We should push for MORE of the above, not less. We should push for laws that HELP people use the things they have, instead of locking them out of their own property. If Facebook doesn't like people trying to access their own content, Facebook shouldn't have built a business on everyone else's content. Nobody forced them to do that.
EA making games for MegaDrive/Genesis doesn’t cost Sega any money. You using the api without ever seeing any ads will actively cost Meta money. Not the same thing.
I agree that it's not the same thing, and I don't know offhand about the MegaDrive/Genesis in particular, but game consoles have often been sold at a loss with profit made on sale of games. If that was true for Sega at the time, anyone EA making games that motivate sales of Sega consoles but no purchase of Sega (or Sega-licensed) games would absolutely be costing Sega money.
I make no particular comment, here, on whether we should be defending that business model.
"How do you expect the 1st party to stay in business?"
Here is a different way to look at what is going on lately in the short history of the internetowrked computer. To me, there is no legitimate "business". Meta cannot charge IG users a fee. They will not pay. If they would pay, then why not charge them. Instead Meta exploits IG visitors by spying on them. Advertisers will pay. Third parties will be interested in the data Meta collects. What Meta is doing with FB, IG or WhatsApp is not legit "business" IMHO, because, IMO, a business generally produces something of value that people pay for. Generally, Meta does not do that.
Newspapers sold advertising, but people were willing to pay for newspapers. Because newpapers produced something of value. They employed people to produce a product that people paid for: journalism.
Meta does not employ people to produce something of value that people will pay for. The content on these apps comes from the people who use them, and from journalists emplyed by newspapers, but not Meta. Meta make people the product, access to and data on which they sell to paying customers. Websites and apps are not "products". In this "business" the people who use them, their behaviour and the details of their lives, are the product.
A kid's lemonade stand looks more legit as "business" to me than a "tech" company producing so-called "products" that are given away for free, as bait. These are not the product that customers pay for, that no one likes to talk about.
Billboards owners sell advertising. They own or lease real estate with high visibility to traffic. It is difficult to avoid billboards because we generally use the same paths to travel in physical space. As such, billboards are regulated. Not everyone with land adjacent to high traffic routes can erect billboards. See, e.g., Highway Beautification Act of 1965.
Perhaps Meta is like a billboard company in a world that has yet to regulate billboards. IMO, Meta is far more of a hazard to life than a billboard is to the beauty of a highway. Meta does more than display advertising to people who use their websites and apps. Meta's "business model" is a threatening the stability of society. If it is allowed to continue, it should be heavily regulated.
Imagine someone telling you, "If you don't like the billboards, don't look at them." Or "If you don't like the billboards, don't use the highway." It is not so simple. Now imagine Meta tells you, "If you don;t look at the billboards, you cannot use the highway".
Meta is obscuring the true potential of the internet. It has given the internet a bad rap. Meta is not the internet nor its potential to improve people's lives anymore than billboards are the scenery. If left unregulated, billboards can obscure the scenery and eventually they can destroy it.
If you want to use their apps so badly to connect with friends and family, it seems like they’re providing you with legitimate value. Your payment is being exposed to their ads. This is a legitimate business.
Billboards are regulated because they’re inevitable. You’ll see them just walking around. On the other hand, no one is forcing you to use Facebook nor Instagram.
Additionally, some apps are only monetized through advertisement, and 3rd party apps don't display them. How do you expect the 1st party to stay in business?
I don't align with Meta on a lot of issues, but they should be able to control what apps interact with their platform. Don't like it, don't use it.