return to table of content

Facebook let Netflix see user DMs, quit streaming to keep Netflix happy

tsunamihippo
70 replies
17h38m

The article skips a lot of context to make it sound significantly worse than reality. Facebook didn't just randomly give Netflix access to everyone's messages. Specific user would need to purposefully log in to the Netflix app with their Facebook account in order to grant Netflix access to the chat functionality (intended to send movie recommendations to Facebook friends inside the Netflix app).

https://about.fb.com/news/2018/12/facebooks-messaging-partne...

Disclaimer: I work at Facebook but not on messaging or anything related to this article.

lupire
23 replies
17h1m

And if a user consented to Netflix-based chat, Facebook overshared all chat data, instead of only the Netflix chat data, because they couldn't be bothered to build a properly isolated API?

That's like asking permission to read and write your entire phone, just to provide the ability to write and read back a file.

rezonant
7 replies
15h4m

This isn't how permissions work in most OAuth APIs. When you request permissions on apps like this, you request an "action" on a "subject". The "action" can be read/write/delete, the subject can be "DMs". How does Facebook determine whether a specific DM is a Netflix DM? In the database it's just a message from one user to another, with a certain text content.

By the way I'm not suggesting that it cant work this way, just that it doesn't. Facebook could have added a specific scope to allow an app to only read back messages related to itself. But that would have required anticipating the use case before these companies implemented it, or at least having better review policies to try to reduce the permissions apps are asking for.

But if the app wants to allow the user to have a back and forth with the other user, then that implies that Facebook Chat needs to have the ability to have app-specific conversation threads. It doesn't have that, though.

Netflix and Spotify requested read permission for DMs. Did they need it? Most assuredly they did not. But requesting read permissions for DMs in general has valid use cases, even if it should be treated sensitively by Facebook's authentication flow.

If there's any problem here, its that Facebook didn't seem to recognize that the apps (Netflix and Spotify) should not have been requesting read privileges at all, and should have revoked their ability to request that permission in a timely manner.

slowmovintarget
4 replies
14h41m

This is why OAuth is insufficient for privilege management, especially for multi-tenant systems, or what should be segregated data sets. You want to grant access to dataset abc123, but not dataset abc124 belonging to the same user.

This leads to an explosion of scopes, or an explosion of API keys, unless you have a policy engine, or resource-based access control. A company as big as Meta should be able to (is able to) do better than they did, but they probably didn't think this was worth prioritizing because money lie in attention farming, not in mending the fences.

abalone
1 replies
8h57m

OAuth 2.0 is perfectly fine for privilege management. The problem is they granted read access when all Netflix needed here was write access.

An analogy would be granting full access to a Gmail inbox in order to merely send an email. It would not require “scope explosion” to isolate the email sending permission. That’s just one OAuth scope. They just didn’t isolate it.

The more interesting question here is how this interacts with supposed end-to-end encryption. Clearly the messages Netflix sends cannot be E2EE (right?). The whole point of E2EE is the service provider doesn’t have your keys. If Facebook is letting 3P send messages on your behalf, they must be unencrypted.

Normally, ideally, in an E2EE system this should set off alarm bells. If you get a message from someone that’s not actually signed/encrypted by them, this should be very clearly alerted. Otherwise it’s a privacy attack vector. You could be downgraded to an unencrypted channel without your awareness.

So, what’s the Facebook messenger user experience here?

michaelt
0 replies
8h46m

> The problem is they granted read access when all Netflix needed here was write access.

At that point, why not just have an URL that opens facebook with a message pre-populated and skip all the oauth?

rezonant
0 replies
14h21m

It's not just RBAC, the actual feature needs to be designed with this sort of use in mind. When it is, OAuth is perfectly capable of handling it. The ideal way to implement something like this is to expose the message in the Facebook Chat app as a "Netflix Chat", separate from your normal one on one conversation with a user. Then, any message in the Netflix chat is shared with Netflix so they can render it in their UI, but nothing else. Put a message under the Netflix logo in Facebook Chat that says "Netflix will be able to read messages in this chat"

The OAuth consent screen details for an app ("Netflix" and the Netflix logo, etc) could be used to present this to the user.

However this presupposes that this was ever a good idea. On desktop you have a Facebook tab you can chat from, and on mobile, you want to chat on the Facebook (or whatever) app so you have all of its normal features, instead of a gimped version stuck inside a third party app. The third party app only needs to be able to ask the user if its OK to send a message with specific content, and possibly be able to enumerate who it might send to, but even that we've weeded out into the OS' own Share dialog nowadays.

prox
0 replies
7h8m

It’s also an already solved problem. Every contact could be like a channel (like in IRC) where you can gain access to (or not)

sebasvisser
0 replies
10h22m

So when it comes to adding value for advertising fb is able to separate every object and data piece into sickening degrees of detail… but when it’s about privacy and authentication it’s “not the way things are done around here”… As you’ve mentioned as well it’s a choice by fb. Just as we have a choice to call fb out on making immoral choices. Better yet, the developer(s) that coded this part, and the developers that make a daily choice to maintain it in its current form.

And yes, it’s a choice. Just because people don’t take responsibility to make a deliberate choice, doesn’t mean it’s not a choice.

btown
0 replies
5h25m

Slack has a notion of private channels to which a bot can be added. Even a bot with full OAuth scopes can’t read private channels it hasn’t been granted access to. Of course, many people wouldn’t explicitly add the Netflix bot to their DM with their friend - but that’s exactly the point here.

OAuth is absolutely compatible with bots being treated as principals in a social graph, it’s just that that’s incompatible with the type of passive surveillance that was desired here.

vlan0
5 replies
15h57m

What incentive does FB have to limit that access? Feels like MBAs would just see that as a cost/burden? We know FB does give a fuck about privacy, so that’s never gonna be a reason.

captn3m0
2 replies
15h29m

Courts across the world fining them.

pooper
1 replies
15h8m

The fines have to be more than 100% of global annual revenue if they are going to matter.

The other option is long prison sentences for the board and CEO.

exe34
0 replies
11h17m

We often act as if corporations are unalignable super intelligences, but you're right, if there are consequences for the board/executive/shareholders, they would start caring.

yen223
1 replies
12h55m

If you believe FB is in the business of selling user data, then giving out user data for free is not an optimal move.

vlan0
0 replies
4h41m

Absolutely. So the question is, did FB view this through that lens? If they did, then maybe the ROI wasn't there. So they said fuck it.

Wowfunhappy
3 replies
15h5m

That's like asking permission to read and write your entire phone, just to provide the ability to write and read back a file.

...it occurs to me that this is in fact how most desktop apps work, and I do prefer it that way.

ornornor
2 replies
14h26m

On windows idk but Unix has permissions for that reason.

Wowfunhappy
0 replies
11h44m

There are permissions, but I think https://xkcd.com/1200/ is relevant here.

Dylan16807
0 replies
14h17m

Normal Unix permissions do nothing here in a desktop context because the program is running under your account.

Euphorbium
1 replies
12h58m

That is how permissions work on android. I hate it.

amelius
0 replies
9h8m

That's why I moved to GrapheneOS.

toofy
0 replies
16h41m

i’d question the “…couldn’t be bothered to build…” i’d be more likely to believe they knew exactly what they were sharing and wanted it that way.

londons_explore
0 replies
8h13m

The engineers who worked on Chat at facebook likely had the same access... They had an employment contract which said that they were allowed to use their access to debug bugs and improve the product, but not to spy on their girlfriends DM's.

Netflix presumably had the same.

As long as that access is audited to ensure it really was being used only for the intended purpose, I'm fine with that.

Inspected 50 messages all from your test account: fine. Inspected messages from an account after that user contacted customer support citing a problem with messages: fine. Inspected messages from an account after that account fired off alerts to the devops team for causing segfaults: fine. Look at a random account: not fine. Dump messages from many accounts with a script: not fine, and rate limits should stop you after like 100 messages.

krisoft
0 replies
9h4m

I don’t know. If there is a “Facebook Messenger” feature on some Netflix interface then I would be surprised if it only worked with some chats and not others.

(That being said I have no clue why there would be such a thing, and why a user would prefer it? Maybe if Netflix were making set-top boxes)

notnmeyer
17 replies
17h27m

so you agree then that “private” messages aren’t private on fb? i don’t know how to interpret this in a way that isn’t terrible for fb users…

scarface_74
15 replies
17h24m

If you give access to your chat as the parent poster claims, why are you surprised that Netflix has access?

bluefirebrand
6 replies
17h21m

You would expect that giving permission to send specific pre-approved messages does not imply permission to read everything you've ever said to anyone or they've said to you..

Right?

reissbaker
5 replies
17h4m

That's not what the feature was. The feature was that you could use Messenger inside Netflix and Spotify to chat with your friends without leaving those apps. If you opted into using Messenger to chat with your friends inside Spotify, I'm confused why you think Spotify couldn't access your messages, given that Messenger was unencrypted at the time and you were running it inside Spotify. How else would the feature work? It's Messenger running inside Spotify; just like how iOS has access to the unencrypted files and network traffic of any app on your iPhone, Spotify could access any of the unencrypted files or network traffic in Spotify.

It's a dumb feature and I'm glad they killed it, but the "gotcha" here isn't much of a gotcha IMO. It was an opt-in feature to use Messenger inside these other apps; of course the other apps could see your messages if you opted into that. It's like complaining that GMail "shares your private email" with Apple Mail if you use Apple Mail as your mail client.

chatmasta
2 replies
16h43m

The web was rampant with these patterns in the early 2010s when OAuth didn't exist, and HTTPS the exception rather than the rule.

The most egregious example was probably LinkedIn's GMail "integration," ostensibly used to invite your GMail contacts to LinkedIn. Back then, that sort of thing felt innocuous. But the implementation was even worse. Due to lack of OAuth and MFA, you literally entered your GMail password into LinkedIn. Then LinkedIn logged into your GMail account where they could do anything. Even if they limited it to scraping your contacts, they still got every email address you'd ever sent or received an email to or from, over the lifetime of the account.

In any other context this would be called phishing. And by the way, this pattern still exists. For example, apps that force you to log into a third party site in their embedded WebView can read the entire DOM (including your password). ..

reissbaker
1 replies
16h20m

Yeah definitely. There are still some pretty bad patterns out there; for example, if you try to add an event from Facebook Events to your Google Calendar, instead of generating a normal ICS file or event link, they... ask for read/write access to your entire Google Calendar account. No thanks!

Similar to apps that ask for access to your entire Contacts list to "find your existing friends"... You can bet they're uploading that entire thing to their servers and trying to growth hack with it.

jdminhbg
0 replies
15h23m

Would be nice if APIs offered more granular permissions. Almost every one of these is global read/write so it’s impossible to distinguish between good and bad actors.

lupire
1 replies
16h59m

Think about the difference between accessing these specific messages, and accessing all messages.

reissbaker
0 replies
16h44m

If I give Apple Mail my credentials for my GMail account, I would expect Apple Mail to be able to access my email in my GMail account. Switching the word "email" to "DM" doesn't feel like a meaningful difference: if I'm using a third-party client to access and send messages, of course the third-party has access to my messages. Would I expect Tweetbot to be unable to access any tweets other than the ones sent from Tweetbot? That's... not a very useful third-party client. These were third-party Messenger clients; they had access to your Messenger DMs if you opted into using them.

notnmeyer
4 replies
17h11m

it’s disingenuous to think that users read and fully understand the various permission scopes of a service. “private” has an unambiguous meaning—playing the “well, technically” card falls pretty flat imo.

scarface_74
3 replies
16h31m

When you give your mail client credentials to read your email , would you not expect your client to be able to read your mail?

On Android, when you give a third party client permission to receive SMS, you don’t expect it to have access to your SMS?

SoDmbIHadToRply
2 replies
15h58m

So when I give thunderbird my email details, someone at thunderbird gets access to all my emails ?

sashank_1509
0 replies
14h37m

unless I’m wrong thunderbird software has complete access to all your emails when you give thunderbird your email details. Of course, that does not imply that a specific thunderbird employee can read your emails, it is probably encrypted on that end but if they pull a switcheroo and download all your emails into an AWS instance, yes that might be possible (and probably wildly illegal too)

rezonant
0 replies
14h36m

If Thunderbird had a hosted web version, yes. Are you arguing that data portability and interoperability should never be possible if the receiving app is an online service?

Of course Thunderbird could send an automatic update that starts shipping your emails to Thunderbird's servers. You dont expect that, but only because you trust them.

hipadev23
2 replies
17h17m

Because it’s not a reasonable expectation that your private messages would be shared with an advertising partner when you link your account to it, and “give access” is rarely a step that your average user actually reads, much like agreeing to TOS’s upon signup.

And catering to the average user’s expectation is what should dictate policy, not a “technically we have permission” caveat.

vel0city
0 replies
14h11m

would be shared with an advertising partner

In this case Netflix was not an advertising partner. You were signing into Facebook Chat inside the Netflix chat, and participating in Facebook chat messages inside the Netflix app.

You were opting in and using the Netflix app as a Facebook Chat client. Its like being surprised the Pidgin executable could see your Jabber messages.

rezonant
0 replies
14h39m

In the sense that some users may not have realized what they were allowing, that's fair. But that just implies that the permission dialog for this sort of thing should be pretty onerous while being very easy to understand.

There are details that aren't clear here too: Did Netflix request read permissions when you signed in via Facebook? If so, that's shitty and is worthy of condemnation, but the onus falls more on Netflix than Facebook there. You should be able to sign in with Facebook without expecting your DMs to be sent to Netflix. It's still on Facebook, but to a much lesser extent: They should make what's being shared super clear when you sign in with Facebook, and that includes making the sign in super onerous and scary if its something like reading DMs, so the user doesn't miss these details. And they should be reviewing third party apps and what permissions they request, and making sure its inline with the functionality the app is presenting.

However, if the normal Facebook authentication flow did not grant this permission, and the permission was only granted when the user accessed the "Netflix Chat" or whatever feature which obviously did, in actuality, require the read permission to function, then this isn't that big a deal.

airtonix
0 replies
17h24m

not if you log in to enable and agree to share such messages. no.

cm2012
12 replies
15h39m

If this wasn't Facebook it wouldn't even be news.

soraminazuki
11 replies
15h16m

I hope you’re being sarcastic? Or is that actually your stance on people’s privacy rights?

rvba
6 replies
15h7m

Lots of comments here look like some sort of astroturfing made by a PR agency

robocat
4 replies
13h33m

"Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data." - https://news.ycombinator.com/newsguidelines.html

choppaface
3 replies
9h33m

The root comment is literally a Facebook employee who is intentionally trying to change the narrative. An employee of a company that has been fined billions for privacy breaches, that was responsible for literal voter suppression https://www.opendemocracy.net/en/dark-money-investigations/t... etc etc

HN "guidelines" say "Please don't post shallow dismissals" -- Don't allow FANG to astroturf these forums.

valicord
1 replies
5h3m

Are you suggesting that people working at companies you don't like should be banned from HN simply because of who their employer is, or that they should not be allowed to reveal conflict of interest when discussing topics related to their employer?

choppaface
0 replies
2m

Not at all. I’m saying it should be supported to meet any employee’s bias with thorough skepticism.

saagarjha
0 replies
8h24m

Your concern is exactly what the guidelines are talking about.

cm2012
0 replies
6h9m

I've been on HN since 2007 man.

AnotherGoodName
1 replies
14h4m

Google docs literally has the exact same feature and we're not even talking about it. Using the exact same OAuth framework as here you can grant Netflix and Spotify the right to read everything and all comments in your Google Docs. You can even grant them the right to read all your emails in Gmail!

In all seriousness i believe anyone providing oauth should just shut it down at this point, Cambridge Analytica was entirely users granting a third party oauth access to read their friends lists with an explicit permission dialog and all and it was a scandal that led to massive fines. The world decided that oauth access is not ok even with the dialogs prompting to allow third party access and at this point we as developers should listen and take it away. Google currently flys under the radar with the exact same access that led to cambridge analytica but they should probably just shut it down unless they want to run the risk of similar court cases.

tety
0 replies
6h9m

In order to write something that reads user emails in Google APIs you have to go through multiple levels of hell, so I don't think that's a fair comparison

rezonant
0 replies
14h44m

Boiling it down here... some users hit the "Yes" button when Facebook asked them if it was OK to allow Netflix to access their DMs for a feature that allowed you to chat (bidirectionally) with your friends inside the Netflix app. That's a privacy violation?

kazinator
0 replies
15h11m

Rather, it seems like cynicism about the media, than a stance on rights.

k8svet
4 replies
16h59m

So... this sounds like OAuth, with a nice consent scene that says I'm giving Netflix this access to my FB DNs. That's what you mean, right? Otherwise, what the fuck is the difference?.

And really, as if this makes anything better, wow. Imagine having the feeling of obligation that you have to stick your neck out over this. Just take your over-sized salary and be happy knowing you work for one of the worst companies of our time. (despite my tone, at this point, I honestly say that without judgement, just ... own it.)

navigate8310
1 replies
15h1m

Totally agree with the sentiment here. The comment by the employee make it sound like it's the user's fault. Something akin to dark pattern and malicious compliance by giving the user an OAuth consent for their DM.

rezonant
0 replies
14h28m

It's only a dark pattern if this was the permission Netflix asked for when you hit "Sign in with Facebook" or some other unrelated feature. If the permission was granted when you tried to use Netflix Chat, a bidirectional in-app chat powered by Facebook, then its not a dark pattern at all, its just the usual way things are done.

k8svet
0 replies
15h14m

Lmao, love seeing what HN decides is controversial these days.

God give me the power of some of y'all's utterly depraved self-serving self-delusion. I at least acknowledge the moral compromise of how my labor accrues in the system instead of burying my god damn head in the sand about it and offering poor incoherent defenses of my employee in public. And I make a third of what I could make at FB, and still probably don't contribute as negatively to the world.

aardvarkr
0 replies
16h12m

When you give your mail client credentials to read your email , would you not expect your client to be able to read your mail?

On Android, when you give a third party client permission to receive SMS, you don’t expect it to have access to your SMS?

YeBanKo
2 replies
15h38m

Thanks for the context, it's important. But from the link you posted:

  > In order for you to write a message to a Facebook friend from within Spotify, for instance, we needed to give Spotify “write access.” For you to be able to read messages back, we needed Spotify to have “read access.” “Delete access” meant that if you deleted a message from within Spotify, it would also delete from Facebook. No third party was reading your private messages, or writing messages to your friends without your permission.
So here Facebook acknowledges that an app that sends messages needs write permission, not read. I would assume that sending a recommendation is a write only thing, especially with something private as direct messages. And it is pretty well understand pattern. When you share something through iMessages, Signal or WhatsApp from the a different app, the app does not get an access to you chat history.

The allegation that Arstechnica are pretty sever:

  > By 2013, Netflix had begun entering into a series of “Facebook Extended API” agreements, including a so-called “Inbox API” agreement that allowed Netflix programmatic access to Facebook’s users' private message inboxes
Strange naming "Inbox" for sharing API.

  > in exchange for which Netflix would “provide to FB a written report every two weeks that shows daily counts of recommendation sends and recipient clicks by interface, initiation surface, and/or implementation variant (e.g., Facebook vs. non-Facebook recommendation recipients).
This is something that Netflix could do even without special access to the messages, since links originate from them. But so could Facebook, since they see the traffic in messages and can identify referral links. Looks like Titan API, whatever it is, gave even more access?

NYTimes article from 2018 [1] has more details, but it is still unclear if user consent was explicitly obtained for Netflix to read messages. But an interesting quote from Steve Satterfield, Facebook’s director of privacy and public policy:

  > With most of the partnerships, Mr. Satterfield said, the F.T.C. agreement did not require the social network to secure users’ consent before sharing data because Facebook considered the partners extensions of itself — service providers that allowed users to interact with their Facebook friends.
A rather conspicuous statement by someone who have properly collected consent from users.

[1] https://archive.is/DH17k

rezonant
1 replies
14h47m

So here Facebook acknowledges that an app that sends messages needs write permission, not read.

I guess the feature at issue here is that you could actually hold a conversation with a Facebook friend inside of Netflix or Spotify which does indeed necessitate the ability to read back messages from the other user.

Whether it was wise to allow that instead of the kind of sharing systems we use today in 2024 is another question.

YeBanKo
0 replies
13h51m

Depending on the OS architecture it might be possible to have an SDK render messages without handing any data to the parent app. Or of it's not possible at least the question is where any of the messages even hit Netflix servers.

lesuorac
1 replies
16h23m

Disclaimer: I work at Facebook but not on messaging or anything related to this article.

So, it could work exactly as it sounds and you'd have no idea?

---

Although I'm not sure the complaint [1] (linked from articled) actually says that messages were given.

[1]: https://cdn.arstechnica.net/wp-content/uploads/2024/03/compl...

trolan
0 replies
16h15m

Yes I think they're giving their general nerd opinion while also being transparent about possible conflicts. Their comment reads like an analysis of the article not the technology.

aihkas
1 replies
8h25m

You're a Facebook criminal, no one will take you seriously, so please shut up. You have to be a sociopath to work for such a criminal gang aka Meta.

dang
0 replies
0m

You can't attack another user like this, no matter how you feel about their employer.

Since you've done this before

some1else
0 replies
10h45m

Note that everyone had access to the Inbox API at the time. We made an art project highlighting the invasiveness of such broad access:

"E-dentity is a project that asks a participant to login to its Facebook account, then takes his/ her private data from their profile and automatically prints them in an understandable booklet that is handed to the user. This booklet seeks to raise awareness of the hidden data we are sharing which we are often not aware of."

https://github.com/some1else/Edentity

ionwake
0 replies
15h3m

I only read the headline and this reply gave me even greater concern. wtf they shared ALL msg data for logging into Netflix chat?!?

I dunno I’m surprised I’m still surprised these days

choppaface
0 replies
9h40m

Disclaimer: I work at Facebook but not on messaging or anything related to this article

Same as "Hey, Googler here. Let me tell you how I'm right and why you should think this way."

Facebook didn't just randomly give Netflix access to everyone's messages.

That's not at all what the title alleges, nor what the article says. The article (1) provides evidence that Facebook monetized user private messages in a data-sharing project with Netflix and (2) cites court documents that litigate Facebook having Jedi-Blue-like monopoly-preserving interaction with Netflix.

It doesn't matter what the Facebook TOS says or how the tech works. Human users never provided informed consent that their private comms would be monetized as well as used for anti-competitive un-American purposes (un-American as in the Sherman Act, altho creating a monopoly is perhaps very American indeed). And Facebook has done that time and time again.

mcherm
20 replies
18h3m

I'm not clear whether I understood what the article is claiming. It's clear they claim that Meta shared customer's direct messages with a business partner without notifying the individuals who sent and received the messages. It also SOUNDED to me like the article was claiming they did so AFTER Meta introduced "end-to-end encryption" (which would ALSO mean that they were lying about offering end-to-end encryption). Am I reading that correctly?

benreesman
11 replies
17h41m

The cluster of allegations is that the Onavo acquisition put FB-designed and built rootkits underneath TLS on a significant fraction of all smartphones in the United States and that FB/IG (now Meta) used clear text access to ostensibly secure HTTPS sessions to extract arbitrary data from both competitors and partner companies to play poker with X-Ray glasses on as concerned all competition in an ostensibly free and fair and competitive marketplace while simultaneously creating scope for arbitrary other advanced actors to exploit the same intentionally crippled OS-level security at the cost of weakening the entire world’s digital security infrastructure for pure financial profit without so much as a FISA court order to justify such actions.

If substantiated, such accusations would be among the most damning in the history of technology.

nemothekid
7 replies
16h2m

If substantiated, such accusations would be among the most damning in the history of technology.

If substantiated? Just search Onavo on HN search - I thought this was widely known for years.

benreesman
6 replies
15h45m

As a former employee until 2018, I heard the words “Project Ghostbusters” two days ago. I was peripherally aware of something called Onavo but I had no notion that anyone was talking about “kits”, we all thought it was some kind of metrics thing that was sort of iffy sounding but lots of iffy ideas got proposed by some PM looking to make a name and shot down by the grownups, what is alleged would have provoked a riot at the weekly all hands.

If any of this is true they didn’t tell people like me about it, and at one point there were three people on the org chart between myself and the CEO.

I’m very skeptical of the allegations, but I’d be lying if I said I found them to be flat impossible. I tread very lightly on this sort of thing and I didn’t even acknowledge I’d ever heard the word Onavo until I read it on TechCrunch.

I certainly hope they’re false: FAIR seems to be the last real hope for an Open future on AI short of a complete housecleaning of the whole Valley.

sunshowers
2 replies
15h28m

Ex-FB here -- I do feel like I knew about the general scope of what Onavo did, which was to incentivize people so FB could snoop on TLS traffic and grab data about competitor usage.

benreesman
1 replies
15h17m

Could be a question of what we worked on. I did Ads ML Infrastructure, Abuse Detection Systems (spam basically), and then more ML Infrastructure on IG Feed/Stories. I was deep enough in the engine room it was all more or less feature embeddings. So it’s probably fair to say I would have known less about strategic maneuvering than plenty of less tenured folks closer to the surface.

I knew it sounded vaguely sketchy but you remember how many vaguely sketchy things some frisky new PM tried to get pushed through a launch card meeting only to have someone on Sheryl’s radar detonate it on the launch pad. The timeframe is the main reason I’m skeptical: Sheryl didn’t put up with crap like that she knew what was at stake.

sunshowers
0 replies
12h52m

I was on devinfra/source control (worked 2012-2018 in that area before switching to Libra) so we weren't making decisions, but we got to saw a bunch of what happened as it happened. Onavo was always treated as pretty sus among the people I worked with, who were largely linux/free software/security types.

As Pedro said in the email described in [1], no sufficiently well-informed, security-minded person could ever be comfortable with Onavo.

[1]: https://techcrunch.com/2024/03/26/facebook-secret-project-sn...

1oooqooq
1 replies
8h2m

My guess: you were in ads/targeting. And at most a Director. i.e. mostly operations.

The people in targeting/demand/supply knows absolutely nothing about profile building. And there is where all the competitive advantages lies. And also all the shady deals.

We usually keep everything very secret in profile building because that is the knowledge that allows people to leave and start competitors, but we disguise it as the usual think-of-the-children and say that profile building deals with all sort of borderline-PII and only the most vetted people should work on it.

Ask some sysadmin to list the ACL to the main ads profile HDFS or whatever it is today. it will show a couple architects who report to one SVP each.

benreesman
0 replies
4h29m

A remarkably astute analysis based on very limited information.

My job was to use information retrieval, machine learning / AI, auction theory, and pragmatic statistical sampling to both accurately model and stably price ads inventory and later dollarized organic inventory to drive specific policy agendas about what got clicked on, dwelled on, commented on, seen in recommender systems in equilibrium to achieve specific policy agendas of various kinds but all ultimately tying out at top-line revenue and engagement metrics.

It did not take me long to work out that PII was useless in this pursuit, there’s no entropy in the off-property like button table as concerns CTR.

It did not take me long to realize that I didn’t want to know what it was useful for.

I easily had the seniority to run queries against Hive tables that I had an explicit personal priority of never querying.

And I left the senior leadership track at the last stop before a directorship.

nemothekid
0 replies
14h52m

I had a friend tell me about Onavo in ~2015. I wont delve into what he told me, but at the time I had the "move fast and break things" spirit and thought it was a pretty cool tool that they had figured out to get competitive information. He never showed me anything, but allegedly they could even see what features were being used in other apps.

But I don't think this is something he made up, it's been discussed on HN.

https://news.ycombinator.com/item?id=16381812

I wonder if it's be possible to make a social networking startup, optimise solely for Onavo metrics, and get bought out by Facebook.

https://news.ycombinator.com/item?id=16373339

The Onavo VPN service from Facebook is disguised as a protection mechanism but tracks the user for the benefit of Facebook.

https://news.ycombinator.com/item?id=14971839

The database stems from Facebook’s 2013 acquisition of a Tel Aviv-based startup, Onavo, which had built an app that secures users’ privacy by routing their traffic through private servers. The app gives Facebook an unusually detailed look at what users collectively do on their phones, these people say.

I am surprised that this accusation is at all controversial.

loeg
0 replies
15h32m

such accusations would be among the most damning in the history of technology.

You're putting this up there with IBM in the holocaust?

ajdude
0 replies
16h30m

If this is true that sounds really, really, bad.

ahahahahah
0 replies
14h5m

This article has nothing to do with onavo.

tobias2014
3 replies
17h50m

I find the article quite confusing and unclear to be honest. Are there any other sources?

This is the original NYT article from 2018 https://www.nytimes.com/2018/12/18/technology/facebook-priva... "Internal documents show that the social network gave Microsoft, Amazon, Spotify and others far greater access to people’s data than it has disclosed."

Facebook promised E2E at the end of 2023.

dylan604
1 replies
16h45m

Facebook promised E2E at the end of 2023.

Wait, seriously? Like 4-6 months ago? Like, yesterday in terms of how long they haven't had it? Sheesh, a day doesn't go by that I'm not reminded of how happy I am to have dropped FB so long ago.

ahahahahah
0 replies
14h4m

They've had it for years, it was just opt-in. More recently they've applied it to everything.

rgbrenner
2 replies
17h36m

FB has supported e2e messaging since 2016, but it wasn't the default until 4 months ago (Dec 2023). So likely very few users had it enabled (much less on both ends needed to protect a message from FB).

The netflix deal starts in 2013. Even after 2016, e2e would just mean netflix would get slightly fewer messages.

So I don't see anything that would necessarily indicate FB is lying about e2e.

petesergeant
1 replies
16h50m

I wonder if there’s a timing connection here with FB Messenger “upgraded the security of this chat” messages I’ve had on a couple of long-running conversations recently

Jerrrry
0 replies
16h40m

sheer coincidence, not to google-slide.

bastawhiz
0 replies
18h1m

It sounds like it, and if true, is pretty damning.

crmd
16 replies
17h26m

This is one of the litany of bad things that happens when antitrust precident is ignored and we allow a small number of companies to become large enough to dominate the economy.

scarface_74
14 replies
17h23m

So are you claiming Netflix is a “monopoly” and if so, how would you break them up? The same question for Facebook.

This is a case of possible “collusion” not anti trust

waveBidder
9 replies
17h6m

open protocols in the case of Facebook and banning studios from owning/exclusivity with distributors in the case of Netflix.

scarface_74
8 replies
16h35m

So you are saying that no one can distribute their own work on thier own website? Where do you draw the line? Can I not create my own video and put it on my website? Can I not work with friends and we all post our own video on our own website that we jointly own?

How do we stop foreign studios from distribution over the internet? Do we block them too?

Why stop at films? Should book authors also not be slowed to self publish? Software developers?

waveBidder
3 replies
16h15m

it's about scale, obviously. the sorts of ventures you make a limited liability corporation for. you want to protect yourself from the potential risks? Then participate in the market in a fair and non-abusive manner.

Same thing for publishing companies. individual authors can do whatever they like.

JustExAWS
2 replies
14h26m

I ask the same question, if Netflix decides to incorporate in Canada are you going to make a law that forces ISPs to block them? Are large newspapers not allowed to produce their own content? Do you draw the line at newspapers and news organizations because of freedom of the press and the do you allow Netflix to produce thier own documentaries but not fictional shows?

waveBidder
1 replies
2h6m

blocking studio owned distributors from other jurisdictions makes sense, though I'm sure its the sort of thing that would happen on a case by case basis.

Newspapers in general don't syndicate most stories to begin with, so no I don't think it makes sense in that context.

by the way, this isn't some weird new policy. the equivalent applies to studios and movie theaters [1]. we just neglected to extend the policy to online distribution because the powers that be decided vertical monopolies are OK, actually. [1] https://www.thebignewsletter.com/p/the-slow-death-of-hollywo...

scarface_74
0 replies
1h37m

It’s actually not only not been extended, the actual consent decree has been sunset .

Back when it was decided, the only method to get your content in front of an audience was to ship physical media to a physical theater.

Now I can create a video from the device I have in my pocket that has much higher quality than was available in the 30s, upload it either to YouTube or an AWS S3 bucket and upload a yaml file that creates a CloudFront distribution (AWS’s CDN) and distribute it worldwide and create a web page that anyone with a $70 (unsubsidized) Android can watch.

Not only that Comcast - a cable company - owns both the modern distribution pipes that have far more reach than the studios ever had and a studio (Universal) and a broadcast TV and an Internet streaming service.

But there is no “monopoly” on either video creation or distribution or streaming.

I can’t believe someone is actually advocating that the government block foreign content over the internet because you don’t agree with producers being distributors. Are we going to create the “Great Wall of America”?

And who gets to decide what content that should be blocked?

So let’s take Fox News or any other news organization or even the Discovery network. They all create documentary content. Should they not be allowed to stream their own content? Wouldn’t it be against the freedom of speech and/or press to say that you can’t stream your own content via your own website?

thisgoesnowhere
3 replies
15h12m

This slippery slope/where do you draw the line argument is very weak.

It's like saying me accidentally spilling a bit while doing a oil change in my garage is the same as BP spilling hundreds of thousands of gallons of crude.

Scale matters. And "where you draw the line" can be defined loosely to be left up to interpretation at the time.

JustExAWS
2 replies
14h31m

So you are going to pass a law That says depending on size, American companies can’t create content and distribute it?

And then foreign companies are still allowed to distribute thier own content? Are you going to block them from transmitting to the US?

If Netflix decides to incorporate in Canada, are you going to stop them from distributing thier own content to US citizens?

You really don’t see a problem with the government prohibiting companies from distributing thier own content over the internet?

Does that count for newspapers? Video content created by large newspapers?

thisgoesnowhere
1 replies
6h13m

The law can be written in a way that leaves it up for interpretation. It's not a simple IFTTT statement, what's why judges exist and why they make rulings that get cited in other cases. It's a feature of our system that I don't need to answer all your needlessly pedantic questions and just leave it up to interpretation.

Because otherwise bureaucrates like you would cause everything to stall while looking into every contingency.

I also don't think you have to "pass a law" we already have laws on the book that can do this and, this might shock you, we have already used them to do almost exactly what you are saying here.

https://en.m.wikipedia.org/wiki/United_States_v._Paramount_P....

scarface_74
0 replies
3h26m

Well first that ruling was sunsetted three years for all the reasons I cited and was never a “law” binding new companies.

So now you want unelected judges to decide what can and can’t be streamed on the internet.

This is also not the 1930s. In 2024, movie distribution is not limited to physical meets theaters.

Your citation gets trotted out all of the time in these arguments like anyone in 2024 can’t put a video on a website and distribute it anywhere in the world. When the ruling was in effect, home video media didn’t even exist and even television was in its infancy.

And you still haven’t answered the question, do you also stop foreign companies from distributing thier own content ?

And there is always judge shopping, liberal judges would love to stop Fox News from distributing their own content on the internet as would conservative judges love to stop media owned by “woke” corporations

scarface_74
1 replies
16h38m

You can have collusion without being a monopoly. Your two neighborhood grocery stores can illegally collude even if there are 100 in your city

loa_in_
0 replies
15h28m

That's true but also very irrelevant

petesergeant
0 replies
16h48m

Collision is part of antitrust

Would make for some fascinating lawsuits, but I suspect you meant collusion

izacus
0 replies
10h11m

But commenters here want that right? They're rilling up against an API that allows data export and user ownership and demand that they're removed and all interoperability to be killed because "users are too stupid". This cements and entrenches monopolies because noone is allowed to compete or interoperate.

In sense, things like Apple Mail is a problem for them because it uses full access to GMail account to extract private data over API.

1vuio0pswjnm7
10 replies
14h13m

"Meta said it rolled out end-to-end encryption "for all personal chats and calls on Messenger and Facebook" in December. And in 2018, Facebook told Vox that it doesn't use private messages for ad targeting.1 But a few months later, The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users' private messages.""

1. "Does Facebook use info from your private messages to target you with ads?

No. Facebook says it might look at your private messages to determine if they violate the company's policies, but it doesn't use that information for ad targeting. Facebook won't use the contents of your private messages to target you with ads on Facebook Messenger, WhatsApp or Instagram either, according to a spokesperson."

https://www.vox.com/2018/4/11/17177842/facebook-advertising-...

If the messages are encrypted "end-to-end" or whatever the chosen marketing buzzwords, so that Facebook cannot read them, then how is FB able to "use" messages for anything. One accustomed to normal communications services might think FB is storing and delivering messages and that's all. But in truth, it's "using" them. (For purposes other than complying with any request from a court of comptent jurisdiction.)

Exactly what they might be doing is of course highly confidential. You are free to take guesses. FB may answer yes or no. Answers cannot be verified, so their value outside of marketing is dubious.

NB. Meta _is_ a third party. It feels as if some people believe they can redefine terms like "end-to-end", "third party", etc. As if they know many readers will happily go along for the ride.

leidenfrost
7 replies
13h49m

My guess is that FB stores the keys to reverse the encryption.

The point of e2e is to block any third party to to see your conversations by sniffing packets. Not to stop Meta themselves.

roncesvalles
1 replies
13h27m

Although the frank meaning of "E2E encryption" is that a message is encrypted on the sender's device and only decrypted on the intended recipient's device, that is never ever what big tech companies mean when they use this term.

For one, this would remove companies' ability to support lawful interception, which puts them afoul of American law.

Thorrez
0 replies
11h54m

Is lawful interception possible with Whatsapp? I thought it had actual E2E encryption.

pushedx
1 replies
13h42m

The OpenWhisper protocol, which is supposedly implemented by Messages and WhatsApp, was designed specifically to enable anonymous key agreement between the two or more parties sending messages, and no one else, including the service provider.

Whether or not Facebook actually implements it this way is a great question.

appplication
0 replies
13h35m

two or more parties

When you’re having a 1:1 conversation with someone at a party, and then crack a joke and some weird dude 10 feet away laughs at you and says “good one”.

The obvious answer here would be for meta to consider itself party to your conversation.

bawolff
0 replies
13h43m

The point of e2e is to block any third party to to see your conversations by sniffing packets. Not to stop Meta themselves.

No... the point of end to end encryption is to be encrypted end to end. Its literally the name. If meta can read your encrypted messages, that is just normal encryption not end to end encryption.

aftbit
0 replies
13h35m

Uh nope, that's a huge move of the goal posts. The point of E2E is to ensure that nobody besides the two endpoints can read the messages, including all hops along the way, notably including the service provider themselves.

The problem is that this requires users to do things like use one device to authenticate another or restart key exchange with all of their peers. If a user loses their phone, then they will need to redo their security exchange process, which nobody wants to do or even understands. Thus companies often store key material in an insecure way to allow new devices to be silently added to the account.

Plus, even if E2E is well implemented, there are still problems when the endpoint software can be remotely updated to a version that exfiltrates keys or messages.

AdamJacobMuller
0 replies
13h42m

Packet sniffing is mitigated by TLS/HTTPS.

The point of end to end is to to ensure that only me and the person I'm sending a message to can read it and that none of the systems in-between us can read the plain text of it.

1oooqooq
1 replies
8h13m

They describe several cases where the E2E means user<->facebook<->otheruser. Some examples: group chat. Shared images. Shared Urls with snipets. Absolutely everything involving interactions with a whatsapp "business account".

So they are not exactly lying. just being extremely dishonest.

MattyMc
0 replies
6h41m

user<->facebook<->otheruser is the exact OPPOSITE of end-to-end. There’s literally a middleman who can read your messages.

Theyre sooooo dishonest.

neilv
7 replies
17h47m

I don't recall this potential bombshell (maybe because it was shortly before a Christmas, and the NYT headline looked like just more of the same ol'):

And in 2018, Facebook told Vox that it doesn't use private messages for ad targeting. But a few months later, The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users’ private messages."

2018-12-18 https://arstechnica.com/tech-policy/2018/12/report-facebook-...

2018-12-18 https://www.nytimes.com/2018/12/18/technology/facebook-priva...

_heimdall
5 replies
16h42m

The problem isn't whether Facebook used private messages for ad targeting (the claim they denied), its whether Facebook used private messages at all.

Who cares if it was for ads, giving third party companies access should be a huge problem with or without ads.

margorczynski
4 replies
16h3m

This should make it a no-go for any sane person that is aware of that, unfortunately not many are.

I always try to convince people I know to ditch Messanger/WA/etc. in favor of Signal, and in many cases I've succeeded.

rvba
2 replies
15h1m

What is good about signal? It does not allow unique account names (!), but uses telephone numbers - what is just absurdly bad security.

The state can make a duplicate of your sim at any time. Not to mention linking phones to people is relatively easy.

margorczynski
0 replies
5h45m

Complete E2E encryption, only you and the person that you're talking to can read the messages. Yes, having you be identified by phone number is not great but they introduced usernames recently.

_heimdall
0 replies
15h29m

For better or worse, I found that the people willing to keep Signal installed and up to date largely just to get in touch with me was a good proxy for the list of people that really matter most to me.

I didn't win many over on the importance of privacy or Signal, but the willingness of some to put up with it because it matters to me says a lot about my relationship with them.

jgalt212
0 replies
16h16m

that's the money quote, for sure.

advael
4 replies
18h7m

Gonna give it like two weeks before tech bosses posit that users don't have a reasonable expectation of privacy in their private messages

cyost
3 replies
18h4m

Isn't that why they got renamed to "direct" messages basically industry-wide?

noobface
0 replies
17h19m

Bleak and rings true. The worst origin for speculation turned fact.

lupire
0 replies
16h53m

Sorry but that's ridiculous. The terms are synonyms, and usage varies by platform. Neither one gives you more privacy.

cherioo
0 replies
18h0m

Wow I never made that connection.

_heimdall
4 replies
16h37m

The encryption concerns here are a bit confusing IMO. Facebook owns the UI that show you the text of the messages.

There doesn't have to be a backdoor into E2E encryption at all per say, a simple UI property check would give full access to message contents directly in the frontend code. Throw that into a private API and Bob's your uncle, decrypted messages that were transmitted with 100% secure E2E encryption.

lxgr
3 replies
16h16m

Is that different for any other encrypted instant messenger, though?

_heimdall
2 replies
16h0m

No not at all, its a universal risk since you have to trust the UI.

I should have been more clear there. Its interesting to me that I often see concerns over whether Facebook has encryption backdoors when the UI can do all the work.

lxgr
1 replies
5h16m

That's arguably still a backdoor, no?

At least I'd call an instant messenger that which claims to provide end-to-end encryption between conversation participants and then surreptitiously inserts itself as another participant.

However, something very active like that would be much easier to detect and prove than a "true" cryptographic backdoor that could possibly be explained away as an oversight in design or auditing.

_heimdall
0 replies
4h36m

Yeah I think that would fall into the backdoor category. My point was mainly that concerns over E2E encryption usually stop at the level of encryption and transmission.

If one really doesn't trust that Facebook isn't honest about how messages are encrypted and who has access to decrypt them, they also shouldn't use an app made by the same company that by design must have access to the decrypted text.

kylecazar
3 replies
17h16m

What is being claimed here?

'granted programmatic access to FB user's inboxes' could mean a lot of things. What privileges? I read the article and still can't tell.

I don't believe that Meta allowed Netflix to read messages that a user sent or received, but that seems to be what they're implying.

rvba
0 replies
14h56m

For me it sounds that they read the messages to measure sentiment (what people are watching / what they like and dislike / what they recommend / generic information about competition from other rv shows, movies and video games), but probably the system was "bugged" (plausible deniablity) so those with access could read everything they wanted - be it messages made by employees from some competitor startup, or perhaps partners and sweethearts. Creepy stuff.

chatmasta
0 replies
16h39m

Agreed. I would like to read more details about the "access to the Titan API" that Facebook gave to Netflix. Has anyone read the lawsuit PDFs? Maybe more details are in there somewhere.

bicepjai
0 replies
16h46m

An exec can interpret different meaning rather than a technical person. I assume that as full access to read the messages

treme
2 replies
18h16m

how much effort did meta put into building a legit competition vs netflix/youtube? it's hard to imagine they couldn't put up a decent competition with max user reach and $

just how great of a moat do yt/netflix have? is Disney the only one mounting a decent fight?

cherioo
0 replies
18h2m

There’s plenty of competition to netflix.

Tiktok is probably the biggest competitor to YT. But it had to come in from short form video angle, because the moat of YT in long form video is probably insurmountable. Its fate remains to be seen.

Mindwipe
0 replies
9h34m

Wha?

Hacker News is literally constantly claiming that there are too many competitors to Netflix and there needs to be some kind of compulsory licensing to reduce competition. Like there are hundreds of posts on the front page every week to that effect.

Meta never took Watch very seriously, just because it requires literally billions of dollars of investment and they clearly never wanted to spend that much.

They licensed Buffy the Vampire Slayer for the US, clearly saw it didn't move the needle much and they'd need to spend $5 billion+ to get there, and scrapped the whole idea.

rezonant
1 replies
15h10m

For important context on my post here, please read tsunamihippo's post first: https://news.ycombinator.com/item?id=39859319.

This story seems very overblown. Are we arguing that Facebook should not ever allow any third party app to ask permission to read the user's Facebook DMs? There are valid use cases for this permission, and every case where an app asks for it is not a "privacy violation". Sure, did Netflix or Spotify actually need the ability to read back DMs instead of just write them so that they could send recommendations? No, they shouldn't have needed that. If Facebook's API required that they have read access just to send a message, then that's crap design. But is it nefarious? No.

As long as the user is appropriately briefed on what they are granting (and it appears that they were), and as long as Facebook addresses over-scoped permissions requested by third party apps in a timely manner, then this should not be an issue.

I for one believe that we need to mandate that FAANG companies have these sorts of permission-driven systems to avoid the vendor lock in we're all too commonly stuck with today.

Because these things are needed for competition to thrive and to avoid the big companies from creating moats that prevent us, the startups out there, trying to dethrone them, its all the more important that these companies invest in better UIs that help a user understand the implications of what they are doing, and better review processes to stop bad actors from exploiting users' ignorance on an ongoing basis.

I despise Meta, but come on. Don't throw the baby (interoperability) out with the bathwater (interoperability can enable exploitation).

izacus
0 replies
10h9m

Remember that this site is full of people outeight supporting monopolies and walled gardens when it comes to companies they like. So yes, they're absolutely defending removal of APIs that allow data sharing with explicit user consent.

_tk_
1 replies
18h11m

Two things are truly horrifying if this is true. 1. Just how normalized this behavior has become in Silicon Valley upper management circles. 2. That this has not gotten out earlier. Hundreds or thousands of employees at both companies could have reported this to the FTC or elsewhere.

rrr_oh_man
0 replies
17h41m

Vesting period

tored
0 replies
5h27m

Never use Facebook or any other of the big ones as a login provider. Always use a separate account for each cloud service.

timetraveller26
0 replies
17h57m

So it's true that just talking to anybody about anything automatically triggers a flag in some server somewhere.

stephenm00
0 replies
17h59m

Buried in the article, but not just Netflix, Spotify as well.

The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users’ private messages."

staticautomatic
0 replies
18h2m

Cue the FCC for yet another toothless Meta consent decree.

pc86
0 replies
15h37m

This is literally the first time in my life I've heard of Facebook Watch.

ozfive
0 replies
9h12m

This is wiretap level.

mgoetzke
0 replies
8h31m

What is Facebook Watch ?

frogpelt
0 replies
7h10m

If the product is free, you and ALL of your data are the product.

drexlspivey
0 replies
14h56m

Facebook also installed root certificates through Onavo to spy on their competition. Some email exchanges from this court doc https://storage.courtlistener.com/recap/gov.uscourts.cand.36...

From Zuck:

Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . . Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.

From Danny Ferrante (FB Data Scientist):

- We developed "kits" that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage (i.e., specific actions that people are performing in the app, rather than just overall app visitation). This is a "man-in-the-middle" approach.

- Our plan is to work with a third party—like GFK, SSI, YouGov, uTest, etc.—who will recruit panelists and distribute the kits under their own branding. We already have proposals from several of these providers.

- The panelist won't see Onavo in the NUX or in the phone settings. They could see Onavo using specialized tools (like Wireshark).

dbg31415
0 replies
14h35m

Facebook is always going to pull stunts like this.

They don't do creepy things on occasion by accident, they do them intentionally by default.

Same old story for the last 20 years. Zuck is creepy AF, everything he touches is creepy AF.

https://www.businessinsider.com/well-these-new-zuckerberg-im...

bhouston
0 replies
16h48m

There is a lot of confidential information in Facebook private messages, probably people cheating, plans to leave one's job, political organizing, brides, illegal activities, etc. If Netflix gets access to this information, it is likely that other companies and 3rd parties got access either directly or indirectly.

Very scary what can be done with that information.

2muchcoffeeman
0 replies
14h42m

Facebook had a streaming service? This is the first I’ve heard about it.