Connect with us

Biz & IT

Seized cache of Facebook docs raise competition and consent questions

Published

on

A UK parliamentary committee has published the cache of Facebook documents it dramatically seized last week.

The documents were obtained by a legal discovery process by a startup that’s suing the social network in a California court in a case related to Facebook changing data access permissions back in 2014/15.

The court had sealed the documents but the DCMS committee used rarely deployed parliamentary powers to obtain them from the Six4Three founder, during a business trip to London.

You can read the redacted documents here — all 250 pages of them.

In a series of tweets regarding the publication, committee chair Damian Collins says he believes there is “considerable public interest” in releasing them.

“They raise important questions about how Facebook treats users data, their policies for working with app developers, and how they exercise their dominant position in the social media market,” he writes.

“We don’t feel we have had straight answers from Facebook on these important issues, which is why we are releasing the documents. We need a more public debate about the rights of social media users and the smaller businesses who are required to work with the tech giants. I hope that our committee investigation can stand up for them.”

The committee has been investigating online disinformation and election interference for the best part of this year, and has been repeatedly frustrated in its attempts to extract answers from Facebook.

But it is protected by parliamentary privilege — hence it’s now published the Six4Three files, having waited a week in order to redact certain pieces of personal information.

Collins has included a summary of key issues, as the committee sees them after reviewing the documents, in which he draws attention to six issues.

Here is his summary of the key issues:

  • White Lists Facebook have clearly entered into whitelisting agreements with certain companies, which meant that after the platform changes in 2014/15 they maintained full access to friends data. It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not.

Facebook responded

  • Value of friends data It is clear that increasing revenues from major app developers was one of the key drivers behind the Platform 3.0 changes at Facebook. The idea of linking access to friends data to the financial value of the developers relationship with Facebook is a recurring feature of the documents.

In their response Facebook contends that this was essentially another “cherrypicked” topic and that the company “ultimately settled on a model where developers did not need to purchase advertising to access APIs and we continued to provide the developer platform for free.”

  • Reciprocity Data reciprocity between Facebook and app developers was a central feature in the discussions about the launch of Platform 3.0.
  • Android Facebook knew that the changes to its policies on the Android mobile phone system, which enabled the Facebook app to collect a record of calls and texts sent by the user would be controversial. To mitigate any bad PR, Facebook planned to make it as hard of possible for users to know that this was one of the underlying features of the upgrade of their app.
  • Onavo Facebook used Onavo to conduct global surveys of the usage of mobile apps by customers, and apparently without their knowledge. They used this data to assess not just how many people had downloaded apps, but how often they used them. This knowledge helped them to decide which companies to acquire, and which to treat as a threat.
  • Targeting competitor Apps The files show evidence of Facebook taking aggressive positions against apps, with the consequence that denying them access to data led to the failure of that business.

Update: 11:40am

Facebook has posted a lengthy response (read it here) positing that the “set of documents, by design, tells only one side of the story and omits important context.” They give a blow-by-blow response to Collins’ points below though they are ultimately pretty selective in what they actually address.

Generally they suggest that some of the issues being framed as anti-competitive were in fact designed to prevent “sketchy apps” from operating on the platform. Furthermore, Facebook details that they delete some old call logs on Android, that using “market research” data from Onava is essentially standard practice and that users had the choice whether data was shared reciprocally between FB and developers. In regard to specific competitors’ apps, Facebook appears to have tried to get ahead of this release with their announcement yesterday that it was ending its platform policy of banning apps that “replicate core functionality.” 

The publication of the files comes at an awkward moment for Facebook — which remains on the back foot after a string of data and security scandals, and has just announced a major policy change — ending a long-running ban on apps copying its own platform features.

Albeit the timing of Facebook’s policy shift announcement hardly looks incidental — given Collins said last week the committee would publish the files this week.

The policy in question has been used by Facebook to close down competitors in the past, such as — two years ago — when it cut off style transfer app Prisma’s access to its live-streaming Live API when the startup tried to launch a livestreaming art filter (Facebook subsequently launched its own style transfer filters for Live).

So its policy reversal now looks intended to diffuse regulatory scrutiny around potential antitrust concerns.

But emails in the Six4Three files suggesting that Facebook took “aggressive positions” against competing apps could spark fresh competition concerns.

In one email dated January 24, 2013, a Facebook staffer, Justin Osofsky, discusses Twitter’s launch of its short video clip app, Vine, and says Facebook’s response will be to close off its API access.

As part of their NUX, you can find friends via FB. Unless anyone raises objections, we will shut down their friends API access today. We’ve prepared reactive PR, and I will let Jana know our decision,” he writes. 

Osofsky’s email is followed by what looks like a big thumbs up from Zuckerberg, who replies: “Yup, go for it.”

Also of concern on the competition front is Facebook’s use of a VPN startup it acquired, Onavo, to gather intelligence on competing apps — either for acquisition purposes or to target as a threat to its business.

The files show various Onavo industry charts detailing reach and usage of mobile apps and social networks — with each of these graphs stamped ‘highly confidential’.

Facebook bought Onavo back in October 2013. Shortly after it shelled out $19BN to acquire rival messaging app WhatsApp — which one Onavo chart in the cache indicates was beasting Facebook on mobile, accounting for well over double the daily message sends at that time.

The files also spotlight several issues of concern relating to privacy and data protection law, with internal documents raising fresh questions over how or even whether (in the case of Facebook’s whitelisting agreements with certain developers) it obtained consent from users to process their personal data.

The company is already facing a number of privacy complaints under the EU’s GDPR framework over its use of ‘forced consent‘, given that it does not offer users an opt-out from targeted advertising.

But the Six4Three files look set to pour fresh fuel on the consent fire.

Collins’ fourth line item — related to an Android upgrade — also speaks loudly to consent complaints.

Earlier this year Facebook was forced to deny that it collects calls and SMS data from users of its Android apps without permission. But, as we wrote at the time, it had used privacy-hostile design tricks to sneak expansive data-gobbling permissions past users. So, put simple, people clicked ‘agree’ without knowing exactly what they were agreeing to.

The Six4Three files back up the notion that Facebook was intentionally trying to mislead users.

In one email dated November 15, 2013, from Matt Scutari, manager privacy and public policy, suggests ways to prevent users from choosing to set a higher level of privacy protection, writing: “Matt is providing policy feedback on a Mark Z request that Product explore the possibility of making the Only Me audience setting unsticky. The goal of this change would be to help users avoid inadvertently posting to the Only Me audience. We are encouraging Product to explore other alternatives, such as more aggressive user education or removing stickiness for all audience settings.”

Another awkward trust issue for Facebook which the documents could stir up afresh relates to its repeat claim — including under questions from lawmakers — that it does not sell user data.

In one email from the cache — sent by Mark Zuckerberg, dated October 7, 2012 — the Facebook founder appears to be entertaining the idea of charging developers for “reading anything, including friends”.

Yet earlier this year, when he was asked by a US lawmaker how Facebook makes money, Zuckerberg replied: “Senator, we sell ads.”

He did not include a caveat that he had apparently personally entertained the idea of liberally selling access to user data.

Responding to the publication of the Six4Three documents, a Facebook spokesperson told us:

As we’ve said many times, the documents Six4Three gathered for their baseless case are only part of the story and are presented in a way that is very misleading without additional context. We stand by the platform changes we made in 2015 to stop a person from sharing their friends’ data with developers. Like any business, we had many of internal conversations about the various ways we could build a sustainable business model for our platform. But the facts are clear: we’ve never sold people’s data.

Zuckerberg has repeatedly refused to testify in person to the DCMS committee.

At its last public hearing — which was held in the form of a grand committee comprising representatives from nine international parliaments, all with burning questions for Facebook — the company sent its policy VP, Richard Allan, leaving an empty chair where Zuckerberg’s bum should be.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

ChatGPT sets record for fastest-growing user base in history, report says

Published

on

Enlarge / A realistic artist’s depiction of an encounter with ChatGPT Plus.

Benj Edwards / Ars Technica / OpenAI

On Wednesday, Reuters reported that AI bot ChatGPT reached an estimated 100 million active monthly users last month, a mere two months from launch, making it the “fastest-growing consumer application in history,” according to a UBS investment bank research note. In comparison, TikTok took nine months to reach 100 million monthly users, and Instagram about 2.5 years, according to UBS researcher Lloyd Walmsley.

“In 20 years following the Internet space, we cannot recall a faster ramp in a consumer internet app,” Reuters quotes Walmsley as writing in the UBS note.

Reuters says the UBS data comes from analytics firm Similar Web, which states that around 13 million unique visitors used ChatGPT every day in January, doubling the number of users in December.

ChatGPT is a conversational large language model (LLM) that can discuss almost any topic at an almost human level. It reads context and answers questions easily, though sometimes not accurately (improving its accuracy is a work in progress). After launching as a free public beta on November 30, the GPT-3 powered AI bot has inspired awe, wonder, and fear in education, computer security, and finance. It’s shaken up the tech industry, prompting a $10 billion investment from Microsoft and causing Google to see its life flash before its eyes.

Also on Wednesday, OpenAI announced ChatGPT Plus, a $20 per month subscription service that will offer users faster response times, preferential access to ChatGPT during peak times, and priority access to new features. It’s an attempt to keep up with the intense demand for ChatGPT that has often seen the site deny users due to overwhelming activity.

Over the past few decades, researchers have noticed that technology adoption rates are quickening, with inventions such as the telephone, television, and the Internet taking shorter periods of time to reach massive numbers of users. Will generative AI tools be next on that list? With the kind of trajectory shown by ChatGPT, it’s entirely possible.

Continue Reading

Biz & IT

Netflix stirs fears by using AI-assisted background art in short anime film

Published

on

Enlarge / A still image from the short film Dog and Boy,, which uses image synthesis to help generate background artwork.

Netflix

Over the past year, generative AI has kicked off a wave of existential dread over potential machine-fueled job loss not seen since the advent of the industrial revolution. On Tuesday, Netflix reinvigorated that fear when it debuted a short film called Dog and Boy that utilizes AI image synthesis to help generate its background artwork.

Directed by Ryotaro Makihara, the three-minute animated short follows the story of a boy and his robotic dog through cheerful times, although the story soon takes a dramatic turn toward the post-apocalyptic. Along the way, it includes lush backgrounds apparently created as a collaboration between man and machine, credited to “AI (+Human)” in the end credit sequence.

In the announcement tweet, Netflix cited an industry labor shortage as the reason for using the image synthesis technology:

As an experimental effort to help the anime industry, which has a labor shortage, we used image generation technology for the background images of all three-minute video cuts!

Netflix and the production company WIT Studio tapped Japanese AI firm Rinna for assistance with generating the images. They did not announce exactly what type of technology Rinna used to generate the artwork, but the process looks similar to a Stable Diffusion-powered “img2img” process than can take an image and transform it based on a written prompt.

The film is currently available to view for free on YouTube.

Netflix’s official Dog and Boy promotional video.

Almost immediately, Twitter users responded with a torrent of negative replies to Netflix’s tweet announcing the film, such as, “I know a ton of animators looking for work if you guys are struggling to find them (are you looking very hard?).” Several others quoted legendary Studio Ghibli animator Hayao Miyazaki as saying that AI-powered art “is an insult to life itself.”

In a news release, Netflix expressed its hopes that the new technology would assist with future animation productions (translated by Google Translate): “As a studio, Netflix focuses on supporting creators in the creation of works on a daily basis. As the shortage of human resources in the animation industry is seen as an issue, we hope that this initiative will contribute to the realization of a flexible animation production process through appropriate support for creators using the latest technology.”

It also looks like Makihara also wanted to push boundaries in animation by using AI technology as part of the production process. The Netflix release quoted him as saying, “By combining tools and hand-drawn techniques, we can create something unique to humans … I think that the core of the story is ‘drawing a human being.’ I think that it will be possible to secure and return to its roots, which will eventually strengthen the strengths of Japanese animation and expand its possibilities.”

Labor shortage or not, AI assistance may possibly speed up production times and lower production costs, allowing the creation of more animated content than ever before. But will people be happy about it? That remains to be seen.

Continue Reading

Biz & IT

Up to 29,000 unpatched QNAP storage devices are sitting ducks to ransomware

Published

on

As many as 29,000 network storage devices manufactured by Taiwan-based QNAP are vulnerable to hacks that are easy to carry out and give unauthenticated users on the Internet complete control, a security firm has warned.

The vulnerability, which carries a severity rating of 9.8 out of a possible 10, came to light on Monday, when QNAP issued a patch and urged users to install it. Tracked as CVE-2022-27596, the vulnerability makes it possible for remote hackers to perform a SQL injection, a type of attack that targets web applications that use the Structured Query Language. SQL injection vulnerabilities are exploited by entering specially crafted characters or scripts into the search fields, login fields, or URLs of a buggy website. The injections allow for the modifying, stealing, or deleting of data or the gaining of administrative control over the systems running the vulnerable apps.

QNAP’s advisory on Monday said that network-attached storage devices running QTS versions before 5.0.1.2234 and QuTS Hero versions prior to h5.0.1.2248 were vulnerable. The post also provided instructions for updating to the patched versions.

On Tuesday, security firm Censys reported that data collected from network scan searches showed that as many as 29,000 QNAP devices may not have been patched against CVE-2022-27596. Researchers found that of the 30,520 Internet-connected devices showing what version they were running, only 557, or about 2 percent, were patched. In all, Censys said it detected 67,415 QNAP devices. The 29,000 figure was estimated by applying the 2 percent patch rate to the total number of devices.

“Given that the Deadbolt ransomware is geared to target QNAP NAS devices specifically, it’s very likely that if an exploit is made public, the same criminals will use it to spread the same ransomware again,” Censys researchers wrote. “If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users.”

In an email, a Censys representative said that as of Wednesday, researchers found 30,475 QNAP devices that showed their version numbers (45 fewer than on Tuesday), and that of those, 29,923 are running versions that are vulnerable to CVE-2022-27596.

The mention of Deadbolt refers to a series of hack campaigns over the past year that exploited earlier vulnerabilities in QNAP devices to infect them with ransomware that uses that name. One of the most recent campaign waves occurred in September and exploited CVE-2022-27593, a vulnerability in devices that use a proprietary feature known as Photo Station. The vulnerability was classified as an Externally Controlled Reference to a Resource in Another Sphere.

Tuesday’s Censys report said that devices vulnerable to CVE-2022-27596 were most common in the US, followed by Italy and Taiwan.

Censys also provided the following breakdown:

Country Total Hosts Non-Vulnerable Hosts Vulnerable Hosts
United States 3,271 122 3,149
Italy 3,239 39 3,200
Taiwan 1,951 9 1,942
Germany 1,901 20 1,881
Japan 1,748 34 1,714
France 1,527 69 1,458
Hong Kong 1,425 3 1,422
South Korea 1,313 2 1,311
United Kingdom 1,167 10 1,157
Poland 1,001 17 984

In the past, QNAP has also recommended that users follow all of these steps to lower the chances of getting hacked:

  1. Disable the port forwarding function on the router.
  2. Set up myQNAPcloud on the NAS to enable secure remote access and prevent exposure to the Internet.
  3. Update the NAS firmware to the latest version.
  4. Update all applications on the NAS to their latest versions.
  5. Apply strong passwords for all user accounts on the NAS.
  6. Take snapshots and back up regularly to protect your data.

As reported by Bleeping Computer, QNAP devices over the years have been successfully hacked and infected with other ransomware strains, including Muhstik, eCh0raix/QNAPCrypt, QSnatch, Agelocker, Qlocker, DeadBolt, and Checkmate. Users of these devices should take action now.

Continue Reading

Trending