Facebook Got Caught Phishing for Friends

“The company cannot be left to its own devices, and existing enforcement authorities haven’t done enough.”

By Bennett Cyphers and Jason Kelley, Electronic Frontier Foundation:

Once again, Facebook is in the news for bad security practices, dark design patterns, and secretly reappropriating sensitive data meant for “authentication” to its own ends. Incredibly, this time, the company managed to accomplish all three in one fell swoop.

What happened?

Last weekend, news broke that Facebook has been demanding some new users enter their email passwords in order to sign up for an account on the site. First publicized by cybersecurity specialist e-sushi on Twitter, the unnervingly phishing-like process worked like this: any user who tried to create a new account on Facebook with an email from one of a few providers (including Yandex and GMX) was directed to a page that asked them to “Confirm [Their] Email”–by entering their email password.

Soon after the news was reported more widely by The Daily Beast and Business Insider, Facebook discontinued its verify-with-password program. EFF was made aware of the sign-up flow before the stories were published.  Armed with a burner Yandex email and a fresh browsing session, we were able to experiment with the password-grabbing tool briefly before it was shut down.

First, we observed that when we clicked on the “Connect to yandex.com” button, our email and password were sent directly to Facebook. Do not pass go, do not “Connect” to the third-party service the password belongs to. Facebook might not have stored our password, but it certainly saw it.

Firefox’s developer tools show a request being sent to Facebook with our (fake) email password in it.

At a glance, there didn’t appear to be any way to avoid signing up without compromising our email password in this way. However, in the background, the company had already sent a traditional “confirmation email” to Yandex. We could have closed this signup window, gone to our email, and opened the link from there. Boom, done, we’d be “Confirmed.” But oddly, we didn’t see any indication of that on the “Confirm” page at first. We had to click on “Need Help” in order to see a dialog informing us that, actually, there was no need for a password at all.

The Plot Thickens

In a statement, Facebook said it gave people “the option” to enter their password in order to verify their account. But why did the company build this tool at all? Asking for passwords you don’t need is a classic security anti-pattern: a commonly reinvented, bad solution to a common problem. Facebook is a huge company with plenty of security engineers on its payroll. Surely someone must have identified this as a terrible idea. And users around the web are familiar with the need to verify accounts with a click in a confirmation email; there was no reason to reinvent the wheel.

So why was Facebook’s design so intent on getting users to input their passwords?

It makes more sense in the context of what happened next.

When we clicked “Connect to yandex.com,” an overlay with a status bar appeared. “Authenticating,” it said. But wait—“Importing contacts?” When did that happen? What? How? Why??

Our fake profile didn’t have any linkable Facebook friends, but the tool went through our contacts anyway. After a short time where the status bar informed us that it had found 0 contacts so far, this message popped up:

Somewhere in a cavernous, evaporative cooled datacenter, one of millions of blinking Facebook servers took our credentials, used them to authenticate to our private email account, and tried to pull information about all of our contacts.

After clicking Continue, we were dumped into the Facebook home page, email successfully “confirmed,” and our privacy thoroughly violated.

It’s not about security. It’s about your data.

Some more digging around Facebook’s website reveals that this isn’t the only place it asks for your email password and then uses it to import contact data. In fact, the “confirmation” flow that we tested appears to be a reskinned version of a tool that Facebook calls “Find Your Friends.” (We were tipped off to the existence of the tool by Rob Price of Business Insider.) After we had signed up for our new account, we were ferried to this page as part of the onboarding process. At time of writing, versions of this tool were also available (though possibly non-functional) at https://www.facebook.com/?sk=ff and https://www.facebook.com/find-friends/index.php.

This tool is more transparent about its intentions, but it still qualifies as a security mess. Here, Facebook encourages users to enter their email and (email) password in order to “find friends” who are already on Facebook.

Let us be clear: don’t do this. Never give a third-party company, especially one with Facebook’s dismal track record, unrestricted access to credentials for another account. Legitimate services, like password managers, might store your credentials with end-to-end encryption, but they don’t try to access your accounts without your consent. And plenty of websites integrate with single sign-on services from the likes of Google (and, yes, Facebook) using OAuth, a protocol that allows a third-party service to verify a user’s identity without access to their real password. OAuth was standardized nearly a decade ago to put a stop to the exact practice that Facebook has engaged in here.

Facebook’s tool only worked with accounts from a set of “supported” email hosts, including Yandex, GMX, Yahoo, Hotmail, AOL, and Comcast. When we tried to enter an email from an unsupported host, like Gmail, we were informed that Facebook “can’t import contacts from this address yet.” Considering Facebook has sparred publicly with Google about contact-export features in the past, it’s unsurprising that Facebook wouldn’t attempt (or Google wouldn’t allow) automatic contact importing using raw credentials from Gmail.

This tool worked the first time we tried it, on April 2, but by April 3, after the story had broken, every email we entered (including the Yandex one) prompted a “can’t import contacts from this address yet” message. For now, it appears that Facebook may have shut down the “Find Friends” program as well.

Why is this bad?

Where to begin.

Before we get into the manipulative data import feature, let’s talk about Facebook asking for email credentials in the first place. For all intents and purposes, this is a phishing attack. A company you don’t have a prior relationship with asks you to “confirm your email,” and tries to get you to enter your password into a website that is not your email client. This is the oldest trick in the book.

Phishing attacks commonly target email accounts because they are extremely rich data mines. For better or worse, email accounts often act as de facto digital passports. They connect users to social media, bank accounts, and services like gas, electric, and cable. They can be used to reset passwords for hundreds of services around the Internet. If your email is compromised, everything else about your digital identity is put at risk.

We cannot emphasize this enough: you should not give your email password to websites that are not your email provider or client. In this case, it looks like Facebook “only” wanted users’ contact lists, but that’s a paper-thin justification for the kind of access it demanded.

Tech companies, non-profits, researchers, community educators, and IT departments around the world have devoted millions of cumulative hours — writing countless explainers, giving presentations until their voices have gone hoarse, fundamentally redesigning how trust on the web works with cryptographic certificates and OAuth — all to prevent users from doing exactly this.

And Facebook, in its first interaction with a cohort of newcomers to its service, throws this all out the window. This interaction, and Facebook’s implicit assertion that nothing is out of the ordinary, is conditioning its users to be phished. For a company that is many people’s primary portal to the Internet, that’s downright irresponsible.

Uninformed non-consent

But the mis-education of new users is just the first layer of this onion of awfulness. By collecting sensitive information it didn’t need, Facebook put users at risk of future data breaches. Even if the company never intended to store users’ passwords, it’s hard to feel secure given its track record of, well, accidentally storing passwords. (The company said in a statement that “These passwords were not stored by Facebook.”)

Perhaps worst was Facebook’s approach to user consent. The “Confirm Your Email” page gave no context for why Facebook needed an email password and hid information about how to sidestep the process.

Everything about the page led users to believe they had no choice but to enter their email password. And once they did, nothing about the page indicated how Facebook would use it. According to the researcher who discovered it, an older version of the page had a “See how it works” link that led to… nothing. It wasn’t even a link, just a string of text that evoked the idea of one. Before users had the chance to consent to any kind of data collection, Facebook was scraping their email accounts for all of their social connections. This is worse than a typical dark pattern, which might take advantage of people’s tendency not to read fine print. It delivered unwanted behavior that even the most savvy users should not have predicted.

This isn’t the first time the company has collected data for one purpose and used it for another, which is why we’ve demanded that Facebook leave your phone number where you put it. Unfortunately, this probably won’t be the last time, either. Every breach of user trust drives home further what we already know: the company cannot be left to its own devices, and existing enforcement authorities haven’t done enough. In the short term, the FTC should use its power to send a message to Facebook and the rest of the surveillance-driven tech world that unfair and deceptive data gathering has serious consequences. And in the long term, we need strong privacy laws to keep companies in check.

In the meantime, you can take this as an opportunity to educate yourself or your friends and family about phishing with the help of our Surveillance Self-Defense guide. File this one as a textbook example of when to turn and run away. By Bennett Cyphers and Jason Kelley, Electronic Frontier Foundation

Even if you never handed over a phone number, Facebook can still get it and monetize it. Read… You Gave Facebook Your Phone Number for Security. They Used it for Ads

Enjoy reading WOLF STREET and want to support it? Using ad blockers – I totally get why – but want to support the site? You can donate “beer money.” I appreciate it immensely. Click on the beer mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

 

  60 comments for “Facebook Got Caught Phishing for Friends

  1. andy
    Apr 5, 2019 at 3:55 pm

    I got locked out from my facebook account for not using it for a long time. To gain access they want the copy of my driver license. These people lost their minds.

    • Jack
      Apr 5, 2019 at 10:59 pm

      Andy,

      You should never ever have had a FB account for a starter.

      Now I hope you delete it and prompt all the people you care about to do likewise.

      You deserve better mate.

      and without insulting anyone, only ( bovine) now use FB.

      I also read some reference to “ passwords manager “ programs or apps in this article.
      as being safe or benign utilities !!
      ( this from people who should know better)!

      The best advice a fair dinkum ( worth their salt) IT security technologist can give you is:

      Dont think your data is safe on the internet, once you dabble in the “ proverbial “ you’ll smell of it.

      Anything else is but selling you their product, which normally is glorified BS.

  2. Old dog
    Apr 5, 2019 at 4:20 pm

    “In the meantime, you can take this as an opportunity to educate yourself or your friends and family about phishing”

    For as long as Facebook, Google and so many others data predators are legally allowed to collect as much private data as they please, no amount of education will prevent them from staying one step ahead of us.

    For as long as they are able to profit from selling our data they will continue to do so. What’s Facebook and Google’s downside? That they are summoned by Congress? Please. With the amount of money they throw at Congressmen there are zero chances of any legislation to protect the public.

    I’ve never had a FB or Google account. Yet, they have a ghost profile of my persona. If I want to delete it, I’ve been advised that I *must* create a profile first. WTF.

  3. Javert Chip
    Apr 5, 2019 at 4:23 pm

    At the very least, Facebook has a corrupt culture. Either this malignant stuff comes from management, or the culture is so toxic it just “naturally” pops up in the minds of software engineers.

    I’m not (ever!) a Facebook user, but it’s obvious kids and grandmas are. Over the years I’ve heard/seen Zuckerberg speak in a variety of setting on a variety of topics…he may have been an excellent software designer, but he’s never given an indication of having an ethical bone in his body (he reminds me of Eddie Haskell from “Leave It To Beaver”).

    I’m not saying he or his company is inherently evil, but he (and his company) are inherently unstable & unpredictable. Even as a red-blooded capitalist (retired CFO) I see this as a situation requiring appropriate regulation.

    • polecat
      Apr 5, 2019 at 7:03 pm

      He’s no Eddie Haskell …. He’s an Eddie Munster .. of the vampiric kind. And he need’s to be entombed .. in PRISON !!

    • fajensen
      Apr 6, 2019 at 3:12 am

      That’d be ‘yandex.ru’!? ….. I think Facebook were “incentivised” to do it.

      One should be aware that everything “digital” is also considered a weapon to be wielded at the discretion of the rogue security services and straight-up nutters like Bolton and Pompeo!

      The rather crude way this was done signals two positive developments:

      That they are getting impudent way about their station and very soon they will run into some interests they should not have messed with (like GCHQ and the anti-Trump effort);

      And it shows that the security services are becoming so bloated by their desire to meddle in everything and with everyone, no matter how little, that they are scraping the bottom of the talent pool.

      Regarding Facebook, I believe that they have a toxic management which naturally generates a toxic culture. In such a place, the decent people lose influence and leave, while the very worst rise to the top by reflecting managerial dysfunctional traits. Some deadbeats and no-hopers remains out of sloth or in the hope that “something will change” but it never does unless the business, or project, eventually collapse hard enough to break the management control on the information flow.

      Facebook will become the digital equivalent of Boeing, a desolated place where the captured authorities have their backs and fill up the accounts to such a degree that the business neglects, and eventually forgets, what they were once good at!

      • Javert Chip
        Apr 6, 2019 at 8:21 pm

        Pretty intense dystopian view you have there, what with EVERYBODY out to ruin your life…

  4. IdahoPotato
    Apr 5, 2019 at 4:42 pm

    I do not have a Facebook account and I do not hang out on sites that need you to have a Facebook account to post comments. I’ve also heard from my nieces and nephews that Facebook is “for old people”. They prefer Instagram, which is owned by Facebook.

    So I avoid Instagram as well. And use Whatsapp very very rarely. And do not have a Twitter account. There is a life outside social media. We tend to overlook that fact sometimes. Unfortunately my nieces and nephews cannot fathom such a life.

    • Argus
      Apr 5, 2019 at 8:47 pm

      Agreed. (Love potatoes, too, by the way). I shun social media and don’t feel the lack at all. There are other satisfactory ways of interacting with my true friends.

    • Nasty Edwin
      Apr 5, 2019 at 9:07 pm

      Interaction on this Blog is social media.

    • Mean Chicken
      Apr 5, 2019 at 9:31 pm

      My understanding is everyone has a FB account whether you know it or not.

      • Ed
        Apr 6, 2019 at 3:24 pm

        Yes. They track friends of your friends, which means they track you if you have a friend on FB.

        They must have a giant web of social contacts in the U.S. Quite a database. China is generating something similar about their people (and about the U.S. too? Why not? ).

    • Apr 7, 2019 at 11:02 am

      Your information gets on Facebook through third parties. The only saving grace is that most of this is metadata, not attached to any names or faces. On the other hand it is worth money and you are letting them have it for nothing.

      • Wisdom Seeker
        Apr 8, 2019 at 1:23 pm

        No, you aren’t “letting them have it”, if they are getting it from 3rd parties. They are just taking it. “We” are not letting them have it for nothing, the government and the 3rd parties are.

  5. CreditGB
    Apr 5, 2019 at 4:54 pm

    When I was still working, my company required email security training, and you had to pass with a 75% score. One of the most basic items was never give anyone your passwords. There were always hacked contact lists. That’s how malware was introduced, by sending it using a known person’s email account.

    What a total scam.

  6. clay
    Apr 5, 2019 at 5:29 pm

    Up until recently I thought that Facebook was a destructive monopoly that needed to be broken up in to smaller entities. But with all the revelations in the last month or so I have come to realize that is not enough. They are beyond redemption and even in smaller chunks they are still too corrupt. They need to be dismantled, employees scattered to the winds and the ground sown with salt so they or nothing like them can return.

  7. Rowen
    Apr 5, 2019 at 5:43 pm

    Facebook’s problem is that its advertising/profile business is dependent on its users giving them the data. On the other hand, Google can hoover all its data from passively from android, youtube, and chrome.

  8. Al Loco
    Apr 5, 2019 at 5:54 pm

    They are doing it because the can. Not in the legal sense but because people don’t understand how to stay secure. You ever hear about spyware anymore? No, because they are now called apps and they aren’t spying if you hand over the keys to your accounts. I tried to watch the Daytona 200 this year like past years on the web. The host website now requires an account. I messaged them saying I would pay with real USA currency for a guest login because I didn’t want to create another login and password. Guess what they recommended, “just use your email and the password you always use”. They don’t want my cash. You explain this to the majority of people and they look at you like you are a Flat Earther.

  9. Bankers
    Apr 5, 2019 at 7:06 pm

    They gave me another email of yours in a minute (fakemanjenkins111(at)yahoo(dot)com)… well I guess it’s fake also because you trusted them with it, but this is just to show how easily info can be accessed using these sites once someone gets a lead…I was just looking what info was given away there, it is not a site I use. Sorry if you got a password reset :-( .. oops.

  10. Apr 5, 2019 at 7:14 pm

    The day after Z’berg testified before Congress about how FB made mistakes and was doing its best to protect and respect privacy, I got an FB message from a friend of mine. It was a big colorful promo of how much fun the new FB messenger was and urged me to join. (The old messenger, which you can still use, gives you a tiny little box to read and write your messages to friends.) I’d look at that signup before and wouldn’t do it because it required my phone number. WTF for? So I wrote back to my friend that I didn’t use it, and told her why. She had no idea what I was talking about. She didn’t send it. FB fucking lied to me to get my phone number. They did it again about a month ago. That MF belongs in jail.

  11. polecat
    Apr 5, 2019 at 7:28 pm

    It’s almost as though one needs to be a coder/programmer to avoid the ever encroaching creepyness and guile of these Internet ‘Giants’ …. most of the public doesn’t have the background/training, or the stamina, or both, to fend off the constant nefarious actions that these corporations engage in. And really … why should one have to go through endless hoops just to communicate with other folks, without worrying about being constantly taken advantage of by the very service(s) they’re using ? IMNSHO, these companies need to be ring-fenced, then converted to public utilities as opposed to public hostilities, and thus strictly held to account when they fuck up !

    • Mean Chicken
      Apr 5, 2019 at 9:25 pm

      Shareholders pay fines in the thousands of dollars for the crimes of their executives!

      • Hobbes
        Apr 10, 2019 at 12:08 pm

        Isn’t that part of the risk of holding shares in companies like this?

    • Robert
      Apr 6, 2019 at 10:19 pm

      A brilliant comment, polecat. It’s like living in a world where you are forced to play chess against the current leading grandmaster for your bank account.

  12. Mean Chicken
    Apr 5, 2019 at 9:22 pm

    “Surely someone must have identified this as a terrible idea.”

    Not in a company full of yes men.

    No, I believe Facebook collected the password for the purpose of selling the info to blackmailers.

    The person standing next to you may not be who they appear to be, so take precaution.

  13. Xypher2000
    Apr 5, 2019 at 9:33 pm

    They even let ads for bait and switch companies, got swindled with two ads a little over a year ago for dancing robot and HUD AR type glasses. robot was bait and switch Japanese kids robot cop toy and the glasses never showed. After that i reported ads that were similar in nature and facebook would do nothing.

  14. timbers
    Apr 5, 2019 at 10:19 pm

    I just want to know on thing:

    When is Mark Zuckerberg going to jail and of how long?

    • Javert Chip
      Apr 6, 2019 at 8:35 pm

      Good question.

      My best crack at a serious answer: As soon as our congress-idiots get tired of pretending to play Russian-collusion-whack-a-mole, and somewhere in-between running for president, maybe then these fools could actually do some of what we voters actually elected them to do, among other things, actually pass a law making FaceBook’s (and other digital offenders) egregious actions an actual crime.

      Hard to “convict” FaceBook without there being an actual criminal statute.

  15. Lion
    Apr 5, 2019 at 10:50 pm

    Until recently I had a Facebook account, now closed. My profile was the bare minimum so I could get family updates. No picture. I used a burner Email account for Facebook (as I do for nearly everything I purchase).

    On the “burner Email”, I also would receive about a dozen emails each week from females offering naked selfies and offering hookups (If I had added a picture to my Facebook, maybe these wouldn’t have been sent).

    Interesting point; once I closed Facebook, all of these email went away. All. Makes one wonder.

    Wolf; you’ve got my real Email, take care.

  16. Gold is just..gold
    Apr 5, 2019 at 10:52 pm

    Never been on FB but need to join a group that operate only via FB.

    As I’m also technically challenged, can someone tell me if this will work:

    Get a new pre-pay phone number (must be in my correct name) and a made up google email using said number, but not correct name etc. then join FB using that. The group I want to join uses their proper names – all ethical & above board, non-profit stuff, decent people – and I would need to be upfront in that regard.

    Any solutions appreciated..

    • Bankers
      Apr 6, 2019 at 8:10 am

      Work? It will work but you just have to realise you will get profiled. Basically you have to look at this as that any information you place online can be accessed by one person. When you provide information to “a person”, FB in this example, you are helping create that one person, plus other people may gain access to that info so helping create other “one persons”. The same goes for absolutely any info or applications you use online, the same goes for offline where any data you give is digitalised (and you don’t know).

      So it comes down to who is it nescessary to trust info to – if you need a passport you are going to have to trust government for example.

      This is why phone numbers are used, because they tend to link to official (hence true) ID. So what you are going to provide in this scenario is going to be along the lines of – your full ID via phone number, your location and ip address ( if you don’t use VPN), a fingerprint of your browser/computer that can be cross referenced with use outside of FB, any other details you enter on FB, a throwaway email address, depending on what browser, security, system ( microsoft, android etc.), apps installed then further details of your browsing activity or local information on yourself. Probably more besides if they manage to cross-reference any detail to another information system. I’m even reading that you need to upload a photo now and the account waits until it is reviewed in some cases !

      It is a choice. You can say that government agencies for example might be able to access all your data anywhere, but that they will not reveal that, and that means they won’t release it to the public ( they won’t sell it e.g.) . Private companies will use whatever info they get for their own ends without hesitation, at your cost.

      So it is a question of keeping how much info you give out to a minimum, or in your case reducing the effect of giving out info (ID) by using a phone number that is not used much and an email that you don’t use, and more so if you use privacy features on your computer . It seems throw away online phone numbers and mail services don’t get accepted anymore. mail.com has no fuss email, not sure if there are others. You could probably get a prepaid sim from another country where no ID is needed if you wanted to not give that .

      Or just not use FB.

      Others maybe have some better ideas…

  17. RD Blakeslee
    Apr 6, 2019 at 9:46 am

    Plain old email for me.

    Even so. my use of the internet causes the gathering and sharing of my data by places where I buy something online, so I have to clear over a hundred (and growing) junk mails every day.

    • Javert Chip
      Apr 6, 2019 at 9:19 pm

      Most “modern” email providers (including ISPs) include a spam-filter.

      I use Google (yea, I know they collect data; I up the privacy controls as much as possible and clear my browser cache a couple times a day. I also do this on my iPhone) and I average less than 5 spam/day in my spam folder.

      PS: Before retiring I worked for Visa, who maintained powerful email filters to intercept incoming spam targeted at employee inboxes. Each day, a few hundred spam were automatically deleted per employee – at the corporate level, that’s well over a few billion spam emails per year (less than 5 “suspect” emails/day ended up in an individual’s “suspect spam” folder).

      Before somebody starts foaming-at-the-mouth about Visa sending spam to consumers, Visa only deals with banks and merchants as customers. Individual retail consumers are “bank customers” and are never directly emailed by VISA (Exceptions: Visa responding directly to consumer question, and rarely-if-ever regarding customer-merchant dispute resolution).

  18. Eli Saslow
    Apr 6, 2019 at 10:10 am

    Excellent story. Thank you.

  19. Mike
    Apr 6, 2019 at 11:25 am

    I can confirm this and much more. Last week FB’s account creation page asked me to provide username, email address (for verification) and a password. (The way the page was set up it looked like it really asked for the password for the email address but instead of doing that I just gave them a different password.)When I gave them the info, they started to ask for phone number too. I figured if I already gave them my email address I just go ahead and give them my number too. Then they let me upload a few pictures to my profile. 5 minutes later they suspended my account demanding to uploading a picture of face for verification. I uploaded the picture. Here comes the outrageous part: After all of this my account remained suspended and I was told I needed to upload my ID, like a drivers license for verification. I never heard back from them ever since. Now they have all my personal information and pictures that I can’t even request to be removed because my account because it is “suspended”. I used my first letters of my given names and my nickname for my FB name, maybe they did not like that…but even if that is the case, the way I was social engineered into giving out more and more data and not being able to remove my data from their site… that is pretty upsetting.

    • Apr 6, 2019 at 11:49 am

      You need to take your FB account out the back and shoot it :-]

      Don’t ever use FB. That’s a simple ground rule after all this. I can confirm to you that life is just fine without FB.

      • d
        Apr 7, 2019 at 10:44 am

      • Wisdom Seeker
        Apr 8, 2019 at 1:30 pm

        That also means no Instagram and no WhatsApp.

        • Wisdom Seekerf
          Apr 8, 2019 at 1:31 pm

          Clarification: Both are owned by Facebook.

          Also: have to avoid anything else owned by or sharing data with FaceBook.

        • Apr 8, 2019 at 6:41 pm

          Yes. A better world :-]

  20. Apr 6, 2019 at 11:40 am

    You can always change your email password, phone number not so easy

  21. Gold is just..gold
    Apr 6, 2019 at 12:13 pm

    Thanks for the info – very informative if a bit scary; my gut feeling, years ago, to keep away from FB & others was right even though I had no idea of the depth of personal invasion to come..

    The only way to contact this community group is on FB but I’m going to re-think it. Maybe send a ….what’s it called again… oh yeah, a ‘letter’.

    Thanks again.

    • Bankers
      Apr 6, 2019 at 6:13 pm

      If to me, then welcome. It might be ok if it were just a phone number for simple verification , but as others are describing you just don’t get left alone afterwards either, which is why so many are wary. Either way it is own choice, and for all anyone can say actually staying in contact with a community group might be more important or worth some trade off, so it’s up to you.

      • Bankers
        Apr 6, 2019 at 6:38 pm

        P.S. Letters are good :-) .

      • Javert Chip
        Apr 6, 2019 at 9:38 pm

        Strongly disagree.

        FaceBook (and other digital offenders) knowingly offer services with deliberately designed-but-hidden (real) risks. This deliberate deceit ensures this absolutely is not a matter of “free choice”.

        All children younger than 12-14 years of age, most kids in high school, and the overwhelming percentage of FaceBook (et al) users have zero idea what is happening, and are essentially defenseless.

        This is an area begging for appropriate regulation, but our infantile national politicians are off chasing Russian mirages and running for president.

        • Bankers
          Apr 7, 2019 at 8:04 pm

          I don’t question that, what I am saying is that whether to use FB (or similar) is a persons choice. I advise against these platforms but I think that I am not in a position to command anyone either.

          Then when we look at regulation, sure I would agree to some kind of transparency and good practice sticker, but you know how those can be used to deceive also. You cannot really ban an online platform ( especially countries where freedom of speech sort of still exists) , you really cannot start regulating the web adhoc, so regulation is going to be legal challenges of fraud, closing down physical operations, removing reputation. Data aggregation points could also be signalled somehow, but you know here in EU on every page you have to start by accepting and dismissing a cookies notice, and that really sucks, how else do you stop people giving away their data ? These companies are very clever in making sure that there is some element of choice where obliged by law, but the sum of the experience is still a marketing trap.

          Parents are responsible for keeping their offspring off of these platforms, they have that authority if they choose to exercise it, which unfortunately is less and less common I think. It is not that hard to explain why certain platforms are not a good idea, with reasons that are convincing enough to outdo any peer pressure.

        • Javert, Chip
          Apr 7, 2019 at 8:20 pm

          Bankers

          I better understand what you meant about free choice.

          I’d also point out “free speech” only applies to the government. Employers, universities and other “non-governmental” actors are indeed able to restrict your free speech.

          Several on-line platforms (FaceBook, Google, Apple, Twitter and MANY others) are actively working to restrict not only your free speech, but your on-line access to what management considers to be controversial material.

        • Bankers
          Apr 8, 2019 at 8:52 am

          Yes, I know it is often contorted in practice :-( , but at least in US we still are able to hold open conversation if we choose :-). In other countries, Europe even, the “political correctness” of whatever form has an actual real government presence to back it. Europeans aren’t stupid, they aren’t completely dumbed down intellectually, but the culture is not proactive to full open participation either. A weakness of a more antiquated civil structure I suppose.

  22. Setarcos
    Apr 6, 2019 at 3:12 pm

    “They trust me. Dumb F*#ks.” MZ

    If so, then I agree.

  23. raxadian
    Apr 6, 2019 at 5:16 pm

    Honesty, why does people keep using Facebook? I really wanna know.

    • Apr 6, 2019 at 9:26 pm

      This is one of the most inexplicable phenomena in the world.

      • Wisdom Seeker
        Apr 8, 2019 at 1:36 pm

        Many in the younger generation don’t even realize that privacy used to be a fundamental human right. They just assume everything is out there and there’s nothing they can do about it, so why worry? They lack the experience to realize how much can be used against them, so they really don’t know what they’ve lost.

        But given how easy it has become to build cheap cameras and collect near-infinite data and monitor everything, perhaps the loss of privacy is inevitable? It seems to be a technological tragedy similar to the Tragedy of the Commons in Econ.

        • raxadian
          Apr 8, 2019 at 8:20 pm

          Replace “cheap cameras’ by “smartphones” are you will be up to the times.

          People who never had TVs, who barely knows what a radio is, who has never used a computer, they have smartphones. Maybe they are used or cheap models but they have them.

          The 201Xs are the smartphone generation.

          Yes I know the Iphone was released before 2010. But it took a few years for Smartphones to go from fancy toys for the rich to a mass comsumer item.

          Not that many people bought the first Iphone but the Nokia N8? Wow.

          Had Nokia not ruined things with “Symbian 4” and made the Nokia N9 such an overpriced pieze of junk that didn’t even run the same OS that the N8 things would have been quite different.

  24. ZeroBrain
    Apr 6, 2019 at 7:55 pm

    Wolf – thanks for giving the EFF a platform. I encourage you to keep them in the rotation.

  25. NaturalOnly
    Apr 6, 2019 at 10:08 pm

    I think Facebook does not need you to type in your password. They have software to scan your email account, without your permission. Even though I did not want them to, and expressly said not to, they went through my email account and started suggesting friends to me who were only available on my email. These were people I had not thought of in years. Facebook had rifled through all my emails, not just my contacts.

    They set up an account for my business without my permission. They just used what they found online. This information sat out there for years, with my old business address. I had no idea why people thought I was still there when they called me. I had to log in to the account they set up for me, using my phone number and wait for verification. I had no control over that account without verifying with my phone number.

    I finally had enough and deleted FB about 6 weeks ago. They have managed to screw up what could have been a really good thing, by being really creepy.

  26. ML
    Apr 7, 2019 at 2:17 am

    I don’t understand. As there is very little one can do: presupposing you want to go online, to avoid personal info ending up in FB, surely it is better to concentrate upon becoming immune to advertising and clicking links from sources you have never heard of. And if you receive an email from for example Adobe, as I did recently, reminding me that my subscription was about to expire and would I click the link in the email, ignore that and instead login on your trusted Adobe page and update there.

    Another way is to never use your Google or FB log in details to log into another site but create a log in for each site that needs you to register before you can access it.

    My telephone number and address and email is on-line on my website. So far, touch wood, I have not become a victim beause I take precautions and have my own security process. Which includes anything suspicious resulting in my immediately quitting the browser or email, clearing cache, deleting cookies, html files and databases.

    Having your wits about you is really all that’s needed?

    • d
      Apr 7, 2019 at 10:51 am

      When will Americans learn.

      If a service wants you telephone # and a scanned copy of your DL, with address, they then have access to you social security #.

      Any entity that requires those things online, is an entity you should not be dealing with.

      Some peopel, they NEVER LEARN.

  27. SusanB
    Apr 9, 2019 at 5:27 pm

    They keep using it for the ego strokes. Sad, isn’t it? Or they like getting into nasty public fights with strangers over political disputes. They cooked a wonderful meal and have to let everyone know! Now they can get their 15 minutes of internet fame each and every day!

    I abhor Facebook but most of my family and most of the people I know have an account (thus I have not yet deleted mine – yes, lame – I know). Some are more active than others, of course. As Facebook’s creators confessed last year, they set it up to be addictive. And, yet…so many people willingly comply – all day, every day, revealing private information, announcing their whereabouts, what they cooked for dinner, that they are in a new relationship, became engaged or married. Or, broke up. And let’s not forget, gotta post those envy-producing vacation photos!

    Some people I used to like and admire in “real life” prior to Facebook’s existence have become insufferable self-promoters and pitiful braggarts, begging for validation via the “like” button. They seem to have no shame or self-consciousness as this is now considered “normal”. Why do people now have to express their love for their partner or spouse in front of hundreds if not thousands of voyeurs, in order to get “likes” or “loves”? Is this not a private, special sentiment? Nope, now you have to brag about how “blessed” you are to the sycophant voyeurs to see how many “likes” you get. This is now normal behavior. And if you don’t have a FB account or if you lurk and don’t participate in the madness, you might be suspected of being “anti-social”.

    Sigh. I hate what Facebook has done to society and humans. Unfortunately, I don’t see it going away anytime soon.

Comments are closed.