Hacker News new | past | comments | ask | show | jobs | submit login

I'd expect that they're doing this because they'd like to diagnose crashes or bugs on systems that they don't have the hardware for. It's still somewhat creepy and possibly a fingerprinting mechanism.



Your assessment would be reasonable whth just about any company.

But Facebook? Not so much.


Agreed. This is about how the phone number thing went "for security". I think a lot of people believed FB was using it just for security but in reality they were trying to find more connections, possible friends, tie you to an identity. A real citizen of a country - which is one of their products. I would suspect this is like browser fingerprinting.


Yeah, when I was working on an SMS app, I briefly considered doing something similar. The variety of ways companies break these shared services is astounding[1], and there's no way to reproduce without having the actual phone on-hand, and/or decompiling the framework and seeing what nonsense they wrote. I never did ship it tho.

There are definitely some non-shady useful reasons to do this, but Facebook has sorta lost my default assumption of not-evil, yea.

[1]: https://news.ycombinator.com/item?id=20672783


If this was being done for fingerprinting, wouldn't it make more sense to use a hash of the libraries?


Taking the hash of the library doesn't help you when a user updates their device, though.


Even ignoring the ethical questions it is a massive waste of bandwidth. They could hash the libraries, and if they get a cache miss, upload that one from one person (or perhaps a few people, since everything is in parallel). They then know what system libraries their users have installed without wasting a ton of bandwidth.

Next step to reduce creepiness is to only upload info on system libraries that actually affect the app (so if some users experience crashes and others don't, they can trace it to differences in system libraries).


And the next step in privacy after that would be to not upload the libraries at all. Actually, that should have been their first step…


How would uploading the library help with that?


It's almost infinitely easier to track a library update if you have the actual libraries on hand to compare, rather than two hashes.


But that presumes a human engineer is going through and looking at the libraries in order to maintain fingerprints. I suppose it's possible that's what Facebook is doing, but it strikes me as a massive waste of time, particularly in comparison to all of the other metrics at their disposal.


There are a lot of techniques to compare binary similarity that don't require human intervention.

Edit: see for instance https://www.usenix.org/conference/usenixsecurity17/technical...


But you could do that on the device too, you don't need to upload the library.

I don't know, you could be right—maybe Facebook really wants their analysis to only run on their own servers. It just seems like a stretch to me.


I feel like running strings on the binaries would do a pretty decent job.


Why wouldn't they just track the model of the phone + the current software version if fingerprinting was the goal? How would this approach give them any more fingerprinting data than that one?


You could do that more easily with file names though. I doubt libraries significantly (if at all) change their file names when they update.


Would it be less creepy if facebook had a list of libraries they use, and uploaded a list of missing libraries instead of the total collection?


It would be less creepy if they actually asked the user if they want to upload those system files before uploading them.


I wonder how many users would understand what these files are, why Facebook might want them, and what the risks are associated with sending these.


That's why telemetry uploads metadata, not actual binaries. If you don't upload other's files, you don't need to ask permission to do so.


That seems like a stretch. Metadata is still data.


Except it's not the data that's protected by copyright laws. ...and that it's not the original file is what makes it ethically palatable that Facebook is doing this without explicitly notifying the users that it's happening, although they damn well should have because it represents a profound change in the relationship.


> what the risks are associated with sending these.

What are the risks?


It enables very precise fingerprinting based on device and OS version, down to hardware revision and security patch level.


Or alternatively feed them to a cracking team to look for vulnerabilities. Now, what they do with the vulnerabilities ...


Wouldn’t a hash of the lib achieve the same end result, especially now that they already have a large sample of actual?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: