hhmx.de

Kee Hinckley

Kee Hinckley
@nazgul@infosec.exchange

Föderation EN Fr 01.11.2024 23:28:42

For many years I've believed that Facebook and Instagram were secretly downloading phone photos in the background. Because when you go to post a photo, it gets sent far too quickly to have done a download at the same time.

Yesterday I found this video from an Instagram founder, and damned if I wasn't right.

It doesn't appear to be all photos, just the most recent one (ones?). It's not clear from the video if it happens when you launch the app, or when you hit compose. They're doing it on the assumption you're about to post some recent photos. They claim it's okay because if you don't post it, they delete it.

That's classic Meta self-serving bullshit. The "Yeah, it's wrong, but it's okay because we're Meta and we're smart" excuse they always use.

It is not okay to upload my photos without my explicit consent. It's not okay to chew up my bandwidth when I may be deliberately trying to keep it low. IANL, but that first, frankly, sounds like class action material.

It doesn't matter that they claim to delete it. They just introduced a privacy risk. That could have been a nude of my spouse. That could have been a photo of my kid I was sending to my doctor. That could have been a photo of a contract I'm not allowed to share. All to save a few seconds they can brag about.

When Apple allowed you to selectively make photos available to app, I turned the feature on for Meta apps. This makes posting photos a pain, because Meta doesn't uses Apple's UI for choosing which photos they can see and selecting them at the same time. It's a multistep process and it isn't obvious how to do it. Ironically, it means that I rarely post to Instagram anymore. A fact that just reinforces my belief that Meta really wants full photo access and deliberately isn't fixing the issue.

0x   26   1x

JoD

JoD
@jodmentum@apobangpo.space

Föderation EN Sa 02.11.2024 00:12:31

@nazgul

Medien: 1

0x   1   0x

Kevin Karhan :verified:

Kevin Karhan :verified:
@kkarhan@infosec.space

Föderation EN Sa 02.11.2024 16:06:56

@jodmentum @nazgul why is there no "no thanks" option with a tickbox "don't ask me again" next to it?

Pretty shure this violates & !

Cc: @EUCommission @noybeu @bsi @Bundesverband

0x   0   0x

L. Rhodes ⁂

L. Rhodes ⁂
@lrhodes@merveilles.town

Föderation EN Sa 02.11.2024 01:47:42

@nazgul It's not entirely clear to me that he's talking about pre-uploading recent photos from your phone, or uploading photos that you've selected before you hit upload, e.g. while you're typing a caption.

I'd still regard that as unethical and violation of privacy, but it's not as intrusive as grabbing photos from phone storage before they've been selected by the user.

0x   2   0x

Damon L. Wakes

Damon L. Wakes
@DamonWakes@mastodon.sdf.org

Föderation EN Sa 02.11.2024 01:56:31

@lrhodes @nazgul The less iffy option sounds more likely to me - he does specifically mention the caption being the bottleneck in terms of time, and preemptively uploading photos seems like a massive waste of resources for Instagram unless they can reasonably anticipate an intent to post them - but wow is that still not great.

0x   4   0x

L. Rhodes ⁂

L. Rhodes ⁂
@lrhodes@merveilles.town

Föderation EN Sa 02.11.2024 02:04:38

@DamonWakes @nazgul I don't know that I'd put it past them. If nothing else, unposted photos might still make useful training data, especially if they can be linked by metadata to photos that have been uploaded and captioned. But large transfers of that sort would be easier to spot if you're watching for infosec leaks, and I would expect most phones to meter access better than that. But maybe not.

0x   2   0x

Damon L. Wakes

Damon L. Wakes
@DamonWakes@mastodon.sdf.org

Föderation EN Sa 02.11.2024 02:38:49

@lrhodes @nazgul The video mentions "choosing 512 by 512" which sounds like way too small an image size to be at all recent, which suggests that gathering training data wouldn't have been a concern when that decision was made. I wouldn't absolutely rule out a less charitable interpretation either, though - especially nowadays, since they've likely become more grabby for user data rather than less.

0x   0   0x

Van Sice

Van Sice
@vansice@infosec.exchange

Föderation EN Sa 02.11.2024 04:57:40

@lrhodes @DamonWakes @nazgul THIS. Why *wouldn't* they send your photos into their AI maw if they had them? Speaking of class action... IANAL but I would argue that taking it before you finalize is like assuming agreement on a contract not yet signed.

0x   1   0x

Damon L. Wakes

Damon L. Wakes
@DamonWakes@mastodon.sdf.org

Föderation EN Sa 02.11.2024 11:14:27

@vansice @lrhodes @nazgul At the point this particular decision was made, I don't think the AI maw existed: mastodon.sdf.org/@DamonWakes/1

0x   0   0x

Cat West

Cat West
@Catawu@mastodon.social

Föderation EN Sa 02.11.2024 07:06:11

@DamonWakes @lrhodes @nazgul Taking your photos with or without your permission is a massive money maker for these guys. Your photos contain meta data that is more than images. You bet they’re doing it. They aren’t making billions without selling your data.

0x   1   0x

Femme Malheureuse

Femme Malheureuse
@femme_mal@mstdn.social

Föderation EN Sa 02.11.2024 07:18:14

@Catawu @DamonWakes @lrhodes @nazgul Chances are good given Meta's history of privacy violations that they are not only harvesting meta data but imagery to populate their own generative AI.

The more image data it has from the real world oriented by the meta data, the more realistic the output of its AI, close to 3D 360 degrees.

Meta could replicate users' lives with this given enough data from around each user.

0x   0   0x

Egli/Lui

Egli/Lui
@amigaunicorn@dudes.keinpfusch.net

Föderation EN Sa 02.11.2024 10:07:20

@DamonWakes @lrhodes @nazgul you no read term and conditions?

0x   0   0x

Koantig

Koantig
@koantig@mamot.fr

Föderation EN Sa 02.11.2024 10:38:36

@DamonWakes
That's how I understand it as well: by the time you're writing the caption, you're already using instagram. So I don't think there's a risk of uploading the kid's picture or a photo of a contract.

Still iffy though, esp. if the button is called 'upload'. Downright misleading.

It's like when Facebook was recording the text of the post while you were writing it, which was ending up on their server even if you decided not to send it eventually.

@lrhodes @nazgul

0x   0   0x

jjjjeeppyyaanngg 🧝‍♀️

jjjjeeppyyaanngg 🧝‍♀️
@jepyang@wandering.shop

Föderation EN Sa 02.11.2024 14:20:53

@lrhodes @nazgul fwiw, IG auto-selects your most recent photo every time you start a post, no user input required

0x   0   0x

DeepSpace🔺9

DeepSpace🔺9
@mishi@kolektiva.social

Föderation EN Sa 02.11.2024 04:22:03

@nazgul

Yeah, use billionaire platforms AT YOUR OWN RISK.

0x   0   0x

DrGeraintLLannfrancheta

DrGeraintLLannfrancheta
@DrGeraintLLannfrancheta@nafo.army

Föderation EN Sa 02.11.2024 06:50:05

@nazgul wow

0x   0   0x

Chris L

Chris L
@jayalane@mastodon.online

Föderation EN Sa 02.11.2024 07:43:10

@nazgul didn't they used to upload all the versions of all the software you had on your phone? (FB not insta).

0x   0   0x

Rachael Ava 💁🏻‍♀️

Rachael Ava 💁🏻‍♀️
@RachaelAva1024@tech.lgbt

Föderation EN Sa 02.11.2024 09:01:07

@nazgul I have to be honest, the idea of the server pre-fetching data about that user to memory when you enter your email address so that by the time the user is authenticated, the user's data can be pushed to the authenticated user is pretty neat.

0x   0   0x

Alper Çuğun-Gscheidel

Alper Çuğun-Gscheidel
@alper@rls.social

Föderation EN Sa 02.11.2024 09:31:50

@nazgul @whvholst Also 100% they have the microphone on to target their ads. Wouldn’t they?

0x   1   0x

Walter van Holst

Walter van Holst
@whvholst@eupolicy.social

Föderation EN Sa 02.11.2024 09:42:52

@alper @nazgul That one has been discredited over and over. The power of inference from all the data they get about you is stunning enough.

0x   1   0x

Alper Çuğun-Gscheidel

Alper Çuğun-Gscheidel
@alper@rls.social

Föderation EN Sa 02.11.2024 10:13:08

@whvholst @nazgul Sure but still, they would if they could.

0x   1   0x

Lo

Lo
@zner0L@chaos.social

Föderation EN Sa 02.11.2024 11:52:05

@alper @whvholst @nazgul Unless it is properly proven, I do not think it is helpful to spread these conspiracies, because it dilutes the actual dangers both of complete surveillance and the power of inference. Whether Instagram actually send your voice data to a server is possible to observe and there are even some people doing research into this. I am not saying: Let Instagram slide. I am saying: Collect evidence and properly call them out.

0x   0   0x

David Chisnall (*Now with 50% more sarcasm!*)

David Chisnall (*Now with 50% more sarcasm!*)
@david_chisnall@infosec.exchange

Föderation EN Sa 02.11.2024 10:02:46

@nazgul Maybe you can take a photo of your credit card and then report them for PCI violations?

0x   0   0x

Aral Balkan

Aral Balkan
@aral@mastodon.ar.al

Föderation EN Sa 02.11.2024 10:12:31

@nazgul Data monster in eats data shocker.

0x   0   0x

waxle

waxle
@waxle@mastodon.social

Föderation EN Sa 02.11.2024 10:19:14

@nazgul I spoke to a Facebook developer in 2017 at a UX conference and he acknowledged this, adding that to him it was a great feature. He was amazed at the pushback he got, mainly from European developers at that conference. (GDPR had not even come into effect) The rationale for implementation back then was lousy mobile internet coverage in many places in the US. Privacy or infosec principles were just butchered in favor of UX.

0x   0   0x

UkeleleEric

UkeleleEric
@UkeleleEric@mstdn.social

Föderation EN Sa 02.11.2024 10:19:51

@nazgul which is why I don't download apps for this sort of thing. I don't even access FB from my phone. My computer has security settings dialled right down. My browser likewise. Anything I post on a website is explicitly done. Bit of a faff, but has to be done.

0x   0   0x

Karsten

Karsten
@byteborg@chaos.social

Föderation EN Sa 02.11.2024 10:30:20

@nazgul
"How ist this thing so fast in violating privacy law?" One might ask...

0x   0   0x

Mx Autumn :blobcatpumpkin:

Mx Autumn :blobcatpumpkin:
@carbontwelve@notacult.social

Föderation EN Sa 02.11.2024 11:54:05

@nazgul wow. That’s naughty.

0x   0   0x

Michal Bryxí 🌱

Michal Bryxí 🌱
@MichalBryxi@veganism.social

Föderation EN Sa 02.11.2024 12:20:18

@nazgul Assumption, but I believe he is talking about the photo you have already selected and started putting in description. It checks with the part where he's talking about description being composed and then deleting a single photo (otherwise it's just a wild guess and deleting multiple).

0x   0   0x

Cassandrich

Cassandrich
@dalias@hachyderm.io

Föderation EN Sa 02.11.2024 12:30:20

@nazgul Apple and Google share in the blame for still allowing the legacy non-picker access at all.

0x   0   0x

Gürkan Çetin

Gürkan Çetin
@gurkanctn@mastodon.social

Föderation EN Sa 02.11.2024 12:42:06

@nazgul

They claim they are uploading the "draft" post that the user is working on, not your entire photo gallery. Though, even uploading draft posts can be considered privacy-invading.

0x   0   0x

millennial falcon

millennial falcon
@falcennial@mastodon.social

Föderation EN Sa 02.11.2024 13:04:46

@nazgul it is not ok to use facebook products.

0x   0   0x

Vincent 🌻🇪🇺

Vincent 🌻🇪🇺
@photovince@mastodon.social

Föderation EN Sa 02.11.2024 13:07:27

@nazgul I would have never guessed this level of evil (not sure whether to congratulate you on your mistrust) but I’m glad that as a general measure I’ve refused to use any Meta app - always used the web IF, however bad they made it… (which they did, consciously, to nudge people to the app)

0x   0   0x

Τρομοκρατιστής ✭

Τρομοκρατιστής ✭
@tromo@kafeneio.social

Föderation EN Sa 02.11.2024 14:01:19

@nazgul Several years ago, when I decided to cut any contact with FAGAM, Google had uploaded to its network disc without asking me all the photos. After it had done this crime to justify himself, it asked me which ones I wanted to make public. As a programmer, of course, I understood that it had already transferred them from the phone to the web.
Stop trusting companies. Capitalists respect only money and commit whatever crime to do it.

0x   0   0x

Martina Neumayer

Martina Neumayer
@MartinaNeumayer@mastodon.social

Föderation EN Sa 02.11.2024 14:02:53

@nazgul Almost every product owned by meta is using this methods since many years. Fb, Insta, WhatsApp and so on. You name it.
And yes, of course it should be a class action made from it and also tons of separate court cases as well. Reasons for suing meta bastards are plenty in this particular topic.

0x   0   0x

WTL

WTL
@WTL@mastodon.social

Föderation EN Sa 02.11.2024 14:24:50

@nazgul 🤔 😳

0x   0   0x

Océane

Océane
@oceane@peculiar.florist

Föderation · Sa 02.11.2024 14:35:41

@nazgul This person just says users caption their pictures using the local cache, while Instagram uploads them in the background?

0x   0   0x

prioinv

prioinv
@prioinv@hachyderm.io

Föderation EN Sa 02.11.2024 14:50:47

@nazgul in theory they could encrypt it, upload, send the decryption key after confirm.

0x   0   0x

M Berberich

M Berberich
@m_berberich@chaos.social

Föderation EN Sa 02.11.2024 15:08:57

@nazgul

If this is true, it quite sure is a GDPR¹ violation in the EU.

__________
¹en.wikipedia.org/wiki/General_

0x   0   0x

troy_friz_zell

troy_friz_zell
@troy_frizzell@mstdn.social

Föderation EN Sa 02.11.2024 16:08:29

@nazgul

I have this great hack to prevent Facebook from violating you.

Stop using Facebook.

While I can't see what people who were my friends 50 years ago are eating for lunch, somehow I've managed to survive for nearly a decade without it.

I know it's wrong, but I'm over here feeling VERY smug about not being on any Facebook owned properties.

Medien: 1

0x   0   0x