joshua0: (Default)
[personal profile] joshua0

Here's something that's been kicking about in the back of my mind for the past few days, ever since I saw it happen to me. Every time I think about it, I get really angry, and I feel like I should write about it; and then I get too angry to figure out how to structure a post. The gist of what follows is that an internet service stole your personal information from me. There are lots of people I could blame, but at the end of the day, the data was on my phone, and then it was in the cloud somewhere that I don't control. It came from me, and I apologize. This won't affect most people, but as you'll read, there are some that it could -- and the practice by which it took place, on a wider scale, is extremely dangerous for a handful of groups of people that we already systematically oppress.

This post has been updated since it was originally written to include another example.

Joshua, Facebook is better with friends.  See who's on Facebook by continuously uploading your contacts.The tale starts off innocuously enough. I hadn't checked Facebook in a few days, and like a child in need of attention, it decided that it needed to up the ante and push a notification to my phone inviting me to come visit [1]. Eventually, I gave in and tapped on the notification; but instead of giving me the list of things that have happened recently, it brought me to the screen you see at right. Obviously, I didn't click "get started", because I didn't want to "continuously upload [my] contacts" to Facebook, but I did click that little hiding-in-tiny-grey-on-white invisible link to "manage or delete" contact information that I share with Facebook.

I was in for a nasty surprise. On that page was a long list of friends, with their phone numbers listed next to names. Some had e-mail addresses; some had names that I didn't know where they came from, and some had names from the phone book on my phone. I was angry; I'd never turned on the contact sharing, as far as I could tell, and I would never intentionally agree to that. The problem got worse, though; I clicked on the "delete all of your imported contacts" link on that page, and was brought only to a Facebook Help Center page that helpfully gave me instructions to go back to the previous page, and select a "remove all contacts" option that doesn't exist [2]. Facebook had made it impossible for me to use my phone to delete the data that it had stolen from my phone.

On the surface of it, this made me angry. Never in a million years would I intentionally agree to upload all of the data that doesn't belong to me to Facebook. Looking at the list of contacts that it had taken, it seems to have been relatively recent -- say, at least in the past few years, since I've been working at NVIDIA. I consider myself to be relatively adept at avoiding dark patterns designed to trick users into enabling user-hostile behavior (consider, for instance, the prompts on YouTube that were attempting to force users to "upgrade" to Google+, which I somehow have successfully avoided until now). But even as a power user, at some point in the past, I must have gotten tricked into allowing Facebook to upload contacts from my phone. I was angry that I got tricked.

The more I thought about it, the more I realized how upsetting this is. This is not just about me. So, allow me to present my point in two lights: one, a user (even a non-power user) should have choice over what is uploaded from their phone; and two, people who have no business relationship with Facebook should not have their information uploaded without their consent, and there are people for whom it is very dangerous for their personal information to be uploaded to Facebook. I'll address these individually.

The first is straightforward, but painful. I consider myself to be an experienced user, and I hold the expectation for myself that I know enough about my computer to be in control of what it's doing, and what data it's sending where. But let's say that the bug that caused this to happen somehow was fixed, or that if it wasn't a bug, I managed to look more carefully and avoid doing whatever it is that I did that uploaded everyone else's data to Facebook. Let's say that Facebook fixed it just to that point, and not beyond. That's not good enough. Our responsibility, as engineers, does not end with protecting the powerful. It is not sufficient to say "we gave them the option, and it's not their fault if they didn't click the little tiny box opting out". As computer designers, it is unethical misconduct if we don't aim to protect the most vulnerable users of our systems as well as we protect the well-off. There is an excellent essay addressing this subject by @SwiftOnSecurity; if you haven't read it, you would do well to carve out the five minutes that it takes to read it. We would not tolerate this in any other professional engineering discipline; "growth hacking" is not an excuse in ours, either.

The second is less straightforward. It's easily understandable that, in concept, people should be in control of their own data, but the concrete harm to a person whose data has been compromised is not necessarily trivially obvious. Beyond that software bugs can, and have in the past, resulted in giving away of these data to people that shouldn't have them (let that sink in for a moment...), even when everything works "right", according to the policies and rules that publicly exist, there are real issues.

Consider the hypothetical case, for instance, of an underprivileged demonstrator, perhaps associated with any of the many modern-day civil rights groups. This person can't afford two phones ("one for me at home, and one for me when I go to demonstrate"); they add the phone number of a friend that they have met at a demonstration. Their friend has now been uploaded to Facebook. At this point, a government entity doesn't need to serve process on the demonstrator to understand who else might be in their network; even if their friend doesn't use Facebook, never has, and never will, a local government can serve process on Facebook and get a data dump of everyone that the demonstrator has ever met. The demonstrator can encrypt their phone all they like, and say no every time a uniformed officer kindly asks if they'd mind handing their phone over; it won't matter. Someone else is now being harassed by the police because someone else that they exchanged contact information with uploaded their contact info to Facebook.

This is, admittedly, not something that I have direct knowledge of. It's not a main part of the piece of the world that I live in [3]. But it happens all the time. We'll never know what the court orders all were, and whether they went after these data, or something else. But our governments are not fools: if they didn't use this tool, they would be missing extremely valuable sources of information.

I present, however, as an alternative, a group that I at least have connections to. This is actually the bulk of the reason why I write this; to these people, I apologize more than anyone else. There are people in my phone who have, at some point in their lives, transitioned; I have their phone numbers, but I have them either by their new names or, for people I've lost contact with over the ages and never got around to updating, by their deadnames. I am terrified that Facebook will use these data in the enforcement of their trans*-antagonistic "real names" policy. I am terrified that people I know will be harassed by Facebook because of my failure to safeguard their information. And I am terrified that data that I accidentally uploaded could be used to link a new identity to an old identity, or the other way around. Facebook provided platitudes about how the data would all be used in accordance with their privacy policy, and linked to no specific section of a tome tens of pages long. I don't believe for a moment that that privacy policy protects against using that information to harass my friends.

I'm angry because Facebook betrayed my trust. But I'm really angry because Facebook have failed to protect the people who don't know better, and the people who don't have a choice at all. Here's where I'd tell you that I'm deleting the Facebook app from my phone, and this and that. Well, I can't. I'm forced to use it, because removing it would mean cutting myself off from the people that matter to me -- an awfully self-destructive action, to be sure. I went and deleted all the data from Facebook, and checked that Messenger didn't do the same thing (yes, they're different -- just when you thought you deleted one, the other could have done it too).

But at the end of the day, there's nothing I can really do about it. The joy of the cloud is the ability to make you truly powerless over your computing experience. All I can do is write -- and apologize.

Allow Vine to upload and store my contacts

An addendum, February 27th, 2016: in case anyone thought I was just picking on Facebook, let's be perfectly clear: this sort of practice is widespread. At right, you see the default settings for Vine. Luckily, I installed Vine while running Android M, so the contact-uploading sort of affair can't happen again (I hope), but in the mean time, my phone number has now somehow become linked to my Twitter account. Linking phone numbers with online profiles has been proven in the past, time and time again, to be dangerous. Doing it by default may not affect as many people from a single action as uploading contacts, but it is no less unethical.

[1] This is pretty good in and of itself. I have never seen this notification before; it appears to be the kind of user retention thing that they resort to only when they think that you've lost interest in the site. (I have, but that's a different post entirely.)

[2] I tried the same on the web site. The "manage contacts" button is all but impossible to find on the web page. It seems intentionally buried. I clicked "delete all contacts", which actually showed up there, and I was informed that it might take several minutes. I clicked back, and refreshed, and my contacts were all still there yet. It did eventually appear as an empty list after a few minutes; I have no confidence at all that any of the data has actually been deleted, though.

[3] There is probably a good argument that it should be.

Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.
Page generated Jun. 23rd, 2017 08:42 pm
Powered by Dreamwidth Studios