Hacker News

Facebook sues two Chrome extension devs for scraping user data

2021-01-1423:0014262about.fb.com

Facebook Inc. and Facebook Ireland have filed a legal action in Portugal against two people for scraping user-profiles and other data from Facebook’s website, in violation of our Terms of Service and…

Facebook Inc. and Facebook Ireland have filed a legal action in Portugal against two people for scraping user-profiles and other data from Facebook’s website, in violation of our Terms of Service and Portugal’s Database Protection Law. 

Using the business name “Oink and Stuff,” the defendants developed browser extensions and made them available on the Chrome store. They misled users into installing the extensions with a privacy policy that claimed they did not collect any personal information. Four of their extensions Web for Instagram plus DM, Blue Messenger, Emoji keyboard and Green Messenger were malicious and contained hidden computer code that functioned like spyware.

When people installed these extensions on their browsers, they were installing concealed code designed to scrape their information from the Facebook website, but also information from the users’ browsers unrelated to Facebook all without their knowledge. If the user visited the Facebook website, the browser extensions were programmed to scrape their name, user ID, gender, relationship status, age group and other information related to their account. The defendants did not compromise Facebook’s security systems. Instead, they used the extensions on the users’ devices to collect information.  

We are seeking a permanent injunction against defendants and demanding that they delete all Facebook data in their possession. This case is the result of our ongoing international efforts to detect and enforce against those who scrape Facebook users’ data, including those who use browser extensions to compromise people’s browsers.


Read the original article

alexrustic

Karma: 8387
...
 @Hacker__News
@hacker._news

Comments

  • By 1vuio0pswjnm7 2021-01-150:106 reply

    Interesting, now Facebook is trying to portray themselves as some sort of legal watchdog over users' data, suing weak, non-customer defendants at random. No doubt they'll be citing this as evidence of their benevolent corporate mission in the next round of regulatory actions against the company.

    https://about.fb.com/news/tag/legal-action/

    Users' data is Facebook's main asset. They created the danger posed by these defendants by intentionally collecting user data on such a massive scale. They're not protecting users, they are protecting their business of creating pools of similarly situated users for advertisers to target. Facebook will never protect users from advertisers. They will not sue their own customers.

    At least with these defendants one can get a rough idea of what they were trying to do, the methods they were using to collect data. With Facebook, the internal operations of the company, how they solicit, collect and use people's data, is deliberately withheld from public scrutiny. "We're using your data to make our service better." For whom? Their customers, which may include political campaigns. Facebook is free. The user is not the customer. "We cannot reveal what we are doing because that would put us at a competitive disadvantage." Obviously they are doing much more than just storing your data and making it available to your friends list. You are not the customer.

    • By 1vuio0pswjnm7 2021-01-152:35

      When Facebook customers, i.e., purchasers of Facebook advertising, filed a class action lawsuit against Facebook recently for fraud^1 (more specifically, https://leginfo.legislature.ca.gov/faces/codes_displaySectio... ), Facebook tried to place their amended complaint under seal, so the public could not see it. In part, because it disclosed what goes on behind the scenes at Facebook, the very things that the plaintiffs are suing over. Facebook has much to hide and litigation is one way some of their shady practices may eventually find themselves under the spotlight of public scrutiny. What goes around comes around.

      1 https://cases.justia.com/federal/district-courts/california/...

    • By skybrian 2021-01-150:483 reply

      You should have noticed by now that there is widespread, emphatic agreement that Facebook should protect users' data from third parties.

      This is why what Cambridge Analytics did was bad, right?

      • By wp381640 2021-01-151:011 reply

        Exactly. A lot of people think this is hypocrisy but this is exactly what you want Facebook doing.

        It seems like a week doesn't pass that there isn't news of yet another scraping/dark-adtech firm exposing hundreds of millions of these types of records[0]

        If you think Facebook are bad, these companies are an order of magnitude more evil, and you're never going to hold any of them accountable because they don't care for regulations.

        edit: The threat model here is really concerning. To build user databases legitimately takes a lot of effort and funding. To do it via extensions and scraping requires finding browser extensions that have a lot of users and loose permissions (usually https://*/\*) and acquiring them for cheap, pushing an update and then just watching the data roll in.

        The only recourse is further lockdown of browser extension capabilities (which also punishes good apps like uBlock Origin), purging extension stores (which also usually traps innocent players) and/or taking legal action as Facebook are doing

        [0] https://www.safetydetectives.com/blog/socialarks-leak-report...

        • By 4638383474 2021-01-151:14

          I think you're overthinking the point. If someone's position is that company or industry x is inherently bad then they're going to see any protective behaviors by those companies as also bad because all those protections are doing is prolonging the existence of the root problem.

      • By CivBase 2021-01-150:58

        I don't understand this, though. It seems to be driven by a misunderstanding of how the data is being collected in the first place. It isn't some security vulnerability with Facebook. And Facebook isn't distributing the data to a third party. It's just sharing the data with users, who are then passing it off to the third party (intentionally or otherwise).

        It's like expecting keyboard manufacturers to sue developers of keylogging software.

    • By laurent123456 2021-01-152:081 reply

      OK but in isolation there’s nothing wrong with going after malware developers. They might be "weak, non-customer defendants" but I’m certainly not going to feel sorry for them.

      Also it’s not clear what fb is supposed to be doing then? Just let people write malware and steal user’s data? Be damned if you do and damned if you don't.

      • By 1vuio0pswjnm7 2021-01-153:062 reply

        No, I think you are misunderstanding the point of the comment. It is the news releases. It is that Facebook is publishing about these cases on its website. Facebook is always involved in litigation to protect its business. It is that they are now highlighting these cases as if they are acts of "stewardship" or some defence of user privacy.

        It is generally good that Facebook is taking these actions.^1 But the point I am making is that it is likely to be used as an argument by Facebook to try to hide the fact that Facebook created the problem in the first instance. And they have historically failed miserably as "stewards". And they are the much larger threat to user privacy than anyone they are suing. Their interests are not aligned with users. Facebook has reasons to keep others from obtaining user data that have nothing to do with user "privacy", a concept Zuckerberg is in fact actively trying to destroy.

        1 But I am wondering what Facebook would do if a user was "scraping" her own data and the data their friends have shared with her. In other words, imagine the user writes her own "bot" to automate her Facebook usage and reduce the amount of behavioural data she gives to Facebook, i.e., the data she does not get if she "downloads her data" from Facebook. Clearly this is not "malware". TOS would surely be interpreted by Facebook to not allow any sort of automation. As anyone can see reading the public filings they make with courts and regulators, Facebook lawyers are heavy on the over-the-top rhetoric and arguments that border on the absurd. The user is not the customer so no reason for them to hold back on going after users.

        • By totalZero 2021-01-153:55

          I don't care what FB's motivations are as long as they scare the living daylights out of people who trick users into installing spyware. It's the least they can do, considering what their company embodies.

        • By laurent123456 2021-01-1517:13

          Who knows what their exact motivations are, we can only make a guess. Yes in any case it's still a company and they are going to do whatever is good for their business, and it turns out that this time it's also good for their users.

    • By neya 2021-01-154:37

      This is just a masqueraded effect from Facebook to stop these devs from eating their lunch. Facebook makes money selling user data. If someone else makes money or gives that value away for free, then this is loss of revenue for them. Just follow the money. Facebook sucks and I wish there was an alternative like Signal for WhatsApp, but for Facebook.

    • By onelovetwo 2021-01-150:50

      Theres a difference between collecting data with consent VS a spyware designed to secretly collect data.

      These extensions didnt just scrape from fb, they did so from every website the user went to.

    • By dmix 2021-01-151:54

      Monopolies and power blocs being the arbitrators of which is good or bad for our society is the new status quo.

      It's not surprising that this press release focuses way more on the extensions mining ancillary 3rd-party information available via the extension (stuff outside of FB) than just what they took from FB - which otherwise FB gets unlimited and unscrutinized access too.

      Instead of taking the opportunity to look within at how they are part of the problem, they push enforcement you'd normally expect more from the extension publishers, Chrome/FF/etc browser extension stores. Instead the massive data silos themselves want to run the show while still eating their cake.

      They realized tncentives have changed as the interest groups and likewise the regulators (whom have the latter increasingly have their ear) have become increasingly concerned about blowback from the large pile of data they vacuum up every day, and their own self-proclaimed stewardship of that data.

      They realized they can control it domestically for their own interests and fool the public into thinking the only concerns are Russia, China, and in this case malicious fringe nobody political groups with zero real-life power.

      These are the new sheriffs in the 'wild-west' with inherently vague privacy rules, everything goes internally and for internally 'verified' 3rd parties. Meanwhile they create a smokescreen via engaging in token rule enforcement against tiny firms or the odd domestic authoritarian group so they can showcase themselves as being pro-privacy (ignoring the mountain of despots still using the services or blatant bipartisan double dealing).

      IRL it's most likely not some top-level master plan or conspiracy as many claim, these sorts of moral inconsistencies happen naturally in these firms when they set up teams to control priority narriatives and have their loyalists moderate content, with a) primary focus on the fringes and easy hapless targets while b) willfully ignoring the bigger players or 'politically acceptable' groups (and their own businesses over-arching models).

      History is littered with examples coming from the 'morally superior west'. Just look at northern Pakistan on the borders of Afghanistan for these sorts of compromises. Engaging in a decades long phony-war while ignoring geopolitical elephants in the room. These same inconsistencies are rampant in our new politically acceptable reality.

      These inconsistencies are often obvious by default until some super egregious cases get 'caught' or more importantly politically unpalatable use-cases get exposed, then all of a sudden they are the good caretakers over your data - the people they long promised they would be!

      Phony inconsistency is their calling card and easy to sport for anyone who is paying attention.

      I sometimes wish I too was dumb enough to engage in hyper-partisan politics. Like blindly backing a sport team. And not see the long term deterioration of democracy, transparency, and rise of misguided authoritarianism by people who just discovered politics and think flailing about with new forms of top-down censorship will not simply backfire. Or is somehow better than the universal rejection of the (already) tiny fringe negative forces which we saw immedately after the capitol riots from bipartisan sides.\\

      No, FUD convinces them we have to destroy the rights, rights created to protect them, to get there...

  • By xupybd 2021-01-1423:486 reply

    While I get why they are doing this, there is a certain amount of irony here. Facebook fighting to prevent the collection of users data.

    It made me laugh a little

    • By itslennysfault 2021-01-150:064 reply

      Agreed. EXTRA funny since facebook was originally entirely powered by data scraped from harvard student directory.

      • By asiando 2021-01-150:342 reply

        Everyone trying to be funny here except that you’re all missing the point.

        That data was public in the first place. These extensions can scrape anything, including your messages.

      • By johannes1234321 2021-01-150:45

        Also in early times they gave quite open access to the data via API, so that everybody ties to them and everybody uploads data. Once they were big they reduced the APIs and monopolized the data they collected. (Not giving broad access via API is a good thing, see discussions around Cambridge Analytica and others)

      • By echelon 2021-01-150:22

        Break the rules until you're big enough to make them.

        Obviously this doesn't prevent you from breaking other rules. Actually, once you make it into the big leagues, you can now afford to break more rules than ever before.

      • By tomaszs 2021-01-155:14

        Even more funny since fb also scraped data from email accounts by misleading to obtain logins and passwords and spammed people.

    • By paxys 2021-01-150:39

      Facebook is not suing them for stealing users' data, they are suing them for stealing THEIR data.

    • By HeyZuess 2021-01-151:42

      > demanding that they delete all Facebook data in their possession

      I know "Facebook data" is not quoted, but I gather that is the way they feel about it, they aren't protecting the user and the user's data, they are protecting themselves and their data!

    • By isatty 2021-01-150:40

      Well, _they_ want your data and they want to sell it for profit or make use of it in a profitable venture I imagine. They don't want anyone else getting it for free.

    • By tomc1985 2021-01-150:59

      Like a mob boss sending goon squads to defend their turf

  • By reustle 2021-01-1423:571 reply

    The developer indeed looks pretty shady. Weird screenshot security certificates and knockoff drop-shipped electronics, on top of their plethora of browser extensions and desktop apps. They seem to be based in Portugal.

    https://www.oinkandstuff.com/2019/04/10/%f0%9f%90%97-oinkand...

    https://www.oinkandstuff.com/shop/

    • By wavefunction 2021-01-150:31

      Sounds like it's perfect for Facebook, land of the MLM and foreign and domestic propaganda campaigns.

HackerNews

About