Read on Twitter
Could someone who's running the iOS 14 beta confirm that Facebook attempts to scan the entire local network on startup, presumably for location and/or fingerprinting?
Maybe by posting a screenshot of the permission request on app startup?
Maybe by posting a screenshot of the permission request on app startup?
I love it when Apple decides to throw a practice behind a new explicit permission request, just like how we discovered banking apps were weirdly using Bluetooth for no reason at all.
Why does Facebook need to sniff your entire network, again? I guess now we might find out.
Why does Facebook need to sniff your entire network, again? I guess now we might find out.
It's entirely possible Facebook might have a good reason for doing this in its mobile app.
It's just... we weren't told, or asked?
It's just... we weren't told, or asked?
I mean, I don't know about you, but if Facebook said: "hey, to use the Facebook app we want to find out everything we can about all the other devices on your home network and all the other wifi networks you use", some people might say no thanks? Or want to know why?
The amusing thing is that just with the Bluetooth Permissions deal, app developers will have a good few months to let us know in advance what they need these permissions for and I bet they won't bother?
Things Facebook could find out by sniffing / attempting to find out about all the devices on the wifi network you're using:
* if you have a smart TV
* or a console
* who might live on the same network
* if you have any smart devices
* and more!
* if you have a smart TV
* or a console
* who might live on the same network
* if you have any smart devices
* and more!
It's entirely possible *anyone* doing this (not just Facebook -- those banking apps, remember?) could, say, attach data to your profile if a smart fridge is found.
Or a Roku. Or a Kindle. Or figure out that two people live together. Or home surveillance cameras. Or...
Or a Roku. Or a Kindle. Or figure out that two people live together. Or home surveillance cameras. Or...
People have been sent to jail for the equivalent of doing this on computer networks. It's similar to port scanning (or in some cases, it is port scanning) - going out into your network and trying every single door handle.
Polite? Not really. Without asking? Kinda skeezy?
Polite? Not really. Without asking? Kinda skeezy?
Here it is: on iOS 14, Facebook is required to ask permission to sniff the devices on all the networks you connect to.
I don't think they've disclosed what they do this for and why, can anyone point to anything? https://twitter.com/ianbetteridge/status/1275473920246808578?s=20
I don't think they've disclosed what they do this for and why, can anyone point to anything? https://twitter.com/ianbetteridge/status/1275473920246808578?s=20
Here's the WWDC session on Local Network Privacy, a forthcoming iOS 14 feature:
"If your app interacts with devices using Bonjour or other local networking protocols, you must add support for local network privacy permissions in iOS 14." https://developer.apple.com/videos/play/wwdc2020/10110/
"If your app interacts with devices using Bonjour or other local networking protocols, you must add support for local network privacy permissions in iOS 14." https://developer.apple.com/videos/play/wwdc2020/10110/
Hello Journalist Friends, it would be awfully wonderful if someone could get a comment from Facebook about this...
Via DM, looks like Facebook disclosed something somewhat obliquely about this in 2018 Senate testimony:
https://www.commerce.senate.gov/services/files/9d8e069d-2670-4530-bcdc-d3a63a8831c4
https://www.commerce.senate.gov/services/files/9d8e069d-2670-4530-bcdc-d3a63a8831c4
so back in 2018, Facebook was "in some cases" collecting "information about other devices that are nearby or on your network", "so we can do things like help you stream a video from your phone to your TV".
FB's Apple TV app came out in 2017; Portal in 2018.
FB's Apple TV app came out in 2017; Portal in 2018.
I guess we are lucky that Facebook will only use this information about "other devices that are nearby or on your network" to only do things like help stream videos!
How fortunate we found out in *checks notes* a 229 page written testimony to the U.S. Senate!
How fortunate we found out in *checks notes* a 229 page written testimony to the U.S. Senate!
So, there are entirely reasonable uses of wanting to know what other devices are on your network. This is also used to figure out if you have a Chromecast to throw video to it.
But... their testimony about device info says first thatm in general, it's used to target ads.
But... their testimony about device info says first thatm in general, it's used to target ads.
Opening para for that section on device information, page 1412:
https://www.commerce.senate.gov/services/files/9d8e069d-2670-4530-bcdc-d3a63a8831c4
https://www.commerce.senate.gov/services/files/9d8e069d-2670-4530-bcdc-d3a63a8831c4
There's another reasonable point that FB is doing device discovery for watching a video on your TV, sure fine.
Bonjour on my network shows:
* my printer
* my Apple TV
* my Philips Hue bridge
* my Sonos
* my LG Fridge
* my Zeppelin Airplay
which FB would be (are!) grabbing.
Bonjour on my network shows:
* my printer
* my Apple TV
* my Philips Hue bridge
* my Sonos
* my LG Fridge
* my Zeppelin Airplay
which FB would be (are!) grabbing.
You can use any Bonjour service discovery app on macOS or iOS to find out what other devices Facebook's current iOS app is discovering and (without information otherwise!) logging and combining with other information in your profile.
Watching videos is just *one* use case.
Watching videos is just *one* use case.
"We want to make it easier for you to watch videos on your TV" *also* covers the mechanistic process of discovering *all the other bonjour/mDNS devices on your network*, like your printer, your fridge, your smart home devices, and more *unless* FB explicitly designs otherwise.
Again, yes, FB could be using this to help with Portal or to throw video to a TV.
But their 2018 testimony, *which I'm sure was gone over by lawyers* says they use network device info "so we can do things *like* help people stream a video."
"Like" isn't "only".
But their 2018 testimony, *which I'm sure was gone over by lawyers* says they use network device info "so we can do things *like* help people stream a video."
"Like" isn't "only".
There's another lesson here which is that mDNS/Bonjour local network service discovery is all fine and good until someone's a bad actor and using it for purposes for which it was not intended, e.g. building up a database of information about individuals to target ads.
My rough analogy to this is idealistic internet, where open broadcasting on a local network didn't have (enough?) consequence scanning, which *might* have yielded at the time the low but non-negligible risk of inviting a vampire into your house and sucking everything up.
It's all fun and games when you just want to visit the webpage of your printer or, um, your fridge, but now the massive social network that allows companies to target you also knows you have a printer and a fridge because you might want to share a video to your tv.
Also smart fridges are dumb.
I guess one could go through the rest of FB's 2018 testimony and use it for inspiration for more privacy oriented features which is kind of a bit sad and also, yay for the tiniest slice of government oversight, as a treat?
Anyway, if Facebook are collecting data on *all* the other local devices it can discover on your network, I'm sure they're throwing away/deleting that data if it isn't useful for doing helpful things like showing a video to your TV.
