Doesn't scale. We can't have 1,000,000 front page "App X uses Y SDK" posts. People will stop caring. Nobody's made a post of that flavor in awhile, and Zoom got caught in the crossfire. Honestly, if anything it shields other apps. People have a limited capacity for repeatedly addressing the same thing.

I think it doesn't always have to scale. Zoom is a huge player right now and in great usage across all industries, countries and users.

That's a great point. The 80-20 rule likely applies here. Of all instances of beaconing events, the bulk of those events originate from a small number of popular apps.

Really?!? If it wasn't for this post I wouldn't even know that they exist.

In that case, I should probably tell you that it’s a good idea to wash your hands.

Check any news outlet to know why, and you’re likely to also read about zoom in some article.

What industry do you work in and what country are you in right now?

Fortune 500 consulting, European Union market.

Webex, Teams, Slack are the only ones that matter.

I'd guess you work mainly with slower players (the mention of webex surely suggests so). Zoom as been very much on the rise for a year or so, and is riding the coronavirus WFH wave very well. IME quality is better than competitors, but boy do they use dark patterns. Finding the link to the web version in the meeting page becomes harder every day.

"Webex, Teams"

Yeah some companies are behind the curve (not blaming you).

Zoom is getting very popular

From security perspective, Companies do not like the fact that Zoom was developed in China and the vast majority of its R&D is still in China. China has different rules on security than many other countries. Particularly surrounding intellectual property. https://www.sec.gov/Archives/edgar/data/1585521/000119312519...

"Top of page 21- In addition, we have a high concentration of research and development personnel in China, which could expose us to market scrutiny regarding the integrity of our solution or data security features. Any security compromise in our industry, whether actual or perceived, could harm our reputation, erode confidence in the effectiveness of our security measures, negatively affect our ability to attract new customers and hosts, cause existing customers to elect not to renew their subscriptions or subject us to third-party lawsuits, regulatory fines or other action or liability, which could harm our business."

That's exactly what laws are for.

Would any cloud-hosted analytics be acceptable? Is it just Facebook that’s problematic? What if they switched from client-side analytics to server-side so you couldn’t detect it all? Would that be any better? The bottom line is when you use a service, that data is their data to send to whomever they want.

> The bottom line is when you use a service, that data is their data to send to whomever they want.

No.

That's all that really needs to be said about it but I'll add a couple of more lines here so no one thinks I'm lazy or posting a shallow dismissal:

- First, just because someone trusts you it doesn't mean you are free to abuse them. This should go without saying!

- Second: In Europe and I think California as well this is also illegal.

My point is that you've removed one instance of the Facebook SDK from your phone, but you still have 50 others. Plus probably hundreds of other analytics frameworks that you've never even heard of that are just as bad or worse.

A journey begins with a single step. As a community, we suss our and shame the rest into removal. If shame doesn’t work, those in California try using the CCPA.

We’re all stuck inside for a while, this is the perfect time to act. One app and SDK at a time.

I could get behind that but am sure people get tired - both the activists and sheer mass of people who would need to get convinced.

During covid nobody is paying attention and we have the additional problem that they're trying to use cellphone location data to enforce social distancing! Once this is in effect it will be difficult to undo because the next epidemic will be "just around the corner" ...

So if you can't stop ALL of them, you stop NONE of them.

This is unsustainable. It requires constant vigilance and turns the privacy matter into a cat and mouse game where we are constantly one step behind the worst actors. These systems exist everywhere in the world and they’re fundamentally inefficient. E.g. recycling, or “please bring your own plastic bag”, which relies on goodwill.

Compare to a system where you fix the incentives to automatically align everyone’s interests: e.g. bottle deposits, or a small fee for plastic bags. Now people will want to do the right thing, because it is aligned with their own interests.

The same holds here: fix this one instance with enough outrage, there will be a thousand more. Instead, let’s fix the misaligned incentives between app builders and users, so their invasion of my privacy costs them as much as it does me (e.g. GDPR).

This is how you make efficient markets: align incentives. Fixing everything on a case by case basis only provides temporary relief.

[edit: note that OP never said "don't do it", they just said "it's missing the point". which I think is a fair call. this one fix is good, but it's unsustainable.]

> bottle deposits, or a small fee for plastic bags

You know how these programs started? They started small. A few stores requiring them. Eventually, they become a law.

I guess your point is that fixing this one transgression is the equivalent of one store implementing that rule, and if we fix more of them eventually it’s a law, making it but the first step on the journey to sustainable privacy?

It isn’t. This is recycling one bottle. It doesn’t have any sustainable long lasting effect.

To stretch the metaphor, the equivalent of one store asking for deposits would be e.g. Apple requiring full disclosure of all such tracking SDKs on the App Store page, as suggested by someone else in this thread. That’s sustainable, scalable, and that’s what might eventually even lead to legislation, as you pointed out.

No, you attack the systematic problem and don't become happy by fixing one of them, since it is a hollow victory, and public outrage has limited capacity for repeated posts of "app x is sending to Facebook".

Why not go both ways ?

In this very thread we started from “I can tell you from experience that everyone does this.”.

Now when a PO will be asked to add facebook in its app (or wants to remove it) there is at least one prominent instance to point to showing that having the SDK is not the right move. And hopefully that “everyone does it” will become “some still do it”.

If of course in the meantime we find a working systematic solution, it’s all for the better.

honest question: _how_ do we attack the underlying systematic problem to solve it once and for all?

write a blog post?

take it twitter/HN/reddit?

hold a rally/demonstration outside Apple/Google?

call our MP?

bombard their employees with phone calls or knock on their front door where they live?

write malware?

... really I got nothing that sounds like it would work. In retrospect all of Tim Cook's privacy / security grandstanding and attitude of superiority was just that. There are no good guys in this game.

Buy a better behaving phone, or admit that you don't mind being spied on as compensation for features.

Legislation?

sure, but since I am unable to actually make legislation I wrote "call your MP" - which is more sobering/realistic if you look at the likely success of this particular effort.

We're outgunned by the lobbying from these companies I think.

Right. There's no point in locking 6% of your doors. It's security makework theater, like trying to use a treadmill for transportation.

If Apple notices this press, they may very well ban uploads of new apps containing Facebook SDK versions with this telemetry.

If California and the EU get wind of this, they may also give Facebook a gentle nudge.

That'll get Facebook to remove it fairly quickly, or at least stop triggering it in the background without user initiation.

No, raising widespread awareness seems to have worked. Getting mad reduces the chances of someone responding usefully.