One can't really un-release one's contacts to one of these data gobbling companies. Even then, I appreciate that we are raising this issue.
It should be clear to anyone here that the moment to act on this is before your contacts get copied, not trying to get them un-copied later. Think of it as a betrayal of your contacts, that you sell them out (then ponder the likelihood that none of yours have done the same, it's probably infinitesimal.)
I solve this issue by simply not using the contacts feature on my phone. I just store phone numbers in a text file and memorize the 2 or 3 that I need to contact often..
Ironic, I know, but that's what it has come to. Welcome to 2020.
In the vast majority of cases I just don't need to call most people. I mostly stick between instant messaging and (during pandemic) video calls and (non-pandemic) in-person meetings and just avoid the awkward middle ground of audio-but-no-video phone calls.
Sorry but this sounds diabolical... we need companies worthy of our trust so we can gain the benefit of the apps we’ve chosen to use, rather than avoiding them with manual workarounds. We need laws and penalties applied to companies that abuse our trust. (Yes i know, unfortunately its too late for the FAANG’s of our time)
Fundamentally, that's not a thing in the long term. Trust lasts until the next bad quarter if you're lucky, because ultimately a company will choose to abuse your trust rather than go under.
I don't want to come down too hard on companies here, they exist to make money, that's what they're for (and plenty of them provide very useful services).
But the concept of trust doesn't make a lot of sense here. The people that make up a company aren't constant, and if you do find a company with trustworthy employees, they won't take your data with them when they leave, they will leave it for the next person to abuse.
Trusting a company beyond what they explicitly promise (anything in a EULA-like document that says they can change things at any time doesn't count) is setting yourself up to be screwed down the road.
An obvious idea is Apple/google could add a dontShare flag to the contacts. Or would that be too controversial?
The os would just pretend those contacts don't exist when all contacts are requested. There could be a checkbox to share protected contacts on the permissions prompt in case you're trying to actually export them.
A better idea would be to use regulation to outlaw malware/spyware that steals your contacts list, or pressure Apple/Google to actually do their job during app review and kick such malware from their store.
Regulation is generally useless since it only applies within a jurisdiction. Unless you can convince 200+ countries to adopt it as their formal law, said spyware could always find a place to call home and still infiltrate the world.
GDPR is a good example of a law that the US sheepishly somehow chooses to obey EU law (wtf, why didn't the US obey the EU laws around recycling and energy and no free plastic grocery bags for the past decade? and all of a sudden they care about obeying GDPR?), but do Central/South American, African, Middle Eastern, and Asian countries take a crap about GDPR? Generally not. They don't care about EU law. It doesn't apply in their jurisdiction, and they are not sheep. That isn't to say privacy doesn't matter, it's just that the law needs to be locally implemented, not obeying some arbitrary EU interpretation of the idea that wasn't even discussed with them.
As such, I think technical approaches are generally superior to regulatory approaches in user protection. They apply across the entire world instantly.
> just avoid the awkward middle ground of audio-but-no-video phone calls
Off topic but: am I the only one who thinks video calls are awkward and the old-timey audio-only ones are preferable? I have a disdain for people walking down the street with their phone in an outstretched hand, having inane hour long conversations while virtual bunny ears, cat whiskers or horse heads adorn their faces. Not everyone wants to put on a performance every time they speak to you. Sometimes I just want to call and say hello without having to think about whether the shirt I'm wearing is cool.
Interesting. I actually find it somewhat jarring to take a call in the presence of other people.
I'm used to real life where you talk and see people, and the people you see are the people who can hear and talk to you.
With phone calls the existence of people around me that can hear half the conversation, aren't part of the conversation, and can't reply to the conversation, is utterly jarring and unnatural to me and I avoid it at all costs. I can't for the life of me answer the phone and be at ease when there is anyone else in the room.
I also find it really hard to comprehend everything someone is saying without body language. That is also super unnatural to me. I read faces a lot. I'm just used to real life I guess.
And your friends are still using apps that harvest YOUR contact data. So your contact graph is still determinable. When I changed my phone I decided to not give out my new number. Now all of the spam calls come in on my Google Voice number that I share with everyone and I only share my iMessage with specific people I trust.
I use WhatsApp and deny it access to contacts, it just presents the phone number in the app instead. After a short time one's brain associates the 'last two' of the number with the person.
The idea behind allowing apps to see your contacts was sound, I'm on an app that works better when my contacts are connected to me. Whether its a social network, a game, a fitness app, etc there are many obviously good uses for the end user. Going further it was pretty awesome years ago when there were apps that would connect your contacts to your Facebook friends and they would sync things like birthdays and their profile pictures back to my contacts.
The issue is that some asshole had the genius idea of trying to monetize and spam the contacts once they were given and other assholes followed suit. I would never give the 2 way sync permission to some random app anymore and I almost never give the contact permission to bigger apps as well.
What I hope is that eventually there becomes some way to determine if my contacts also use an app without the app knowing they are my contacts nor giving up the information of contacts not on the app. That seems like a hard but not impossible task. Eventually I'd like there to be a safe way to return to the 2 way sync, but I'm not sure if that is even possible.
Do people’s phone contacts generally align with who they want to be associated with in any apps? Why would I (an average social media user) want my boss, my driving instructor, other professional contacts, my ex wife, personal trainer, therapist, doctor, etc. to be automatically linked to and recommended my social media accounts? I find the whole concept strange.
You don't have to add every single person that is a contact, you'd just be able to see they are connectable. Maybe I would like to connect on FitBit with my personal trainer but not on Instagram or Pokemon Go.
Anyone I consider a friend that I didn't meet online I will always have their phone number, even if that isn't my primary form of communication with them. A phone call will always go through without regards to any data limits and is less spotty in areas with bad service.
I'd love it to be a standard so that social networks could also be connected together in a similar asymmetrical way but that would require even more cooperation from people proven to be bad actors.
I'm on an app that works better when my contacts are connected to me. Whether its a social network, a game, a fitness app, etc there are many obviously good uses for the end user
I'm very selective about who I connect with on social media, only close friends or relatives. But I have many contacts that I won't want any social media contact with at all. Former coworkers, ex girlfriends, professional contacts, etc.
The best solution would be at the OS level, preventing someone's entire contact list from reaching an app's server in the first place.
In iOS 14, Apple (re)implemented a photo picker so apps don't need access to your entire photo library for you to upload a single photo. I'm hoping they could come up with something similar for contacts as well.
Never use an email user id you’ve given to other people
Never use a phone number user id you’ve given to other people
Try to only use app based 2 factor and not SMS based because you have to give it a phone number which they will untrustworthily reuse eventually to generate a social graph
This breaks the social graph
Facebook will ban you for this within 10 minutes, Instagram will not
This has been obvious to me for years, even without the direct notifications to follow someone particularly.
I uploaded a subset of my contacts to IG pre-Facebook acquisition, must have been ~5 years ago, and to this day I get follow suggestions (that I've never clicked on) which one would have no reason to believe are good unless that data was retained (e.g. for contacts who are not "mutually well connected" with other people I follow).
Yikes!
Edit: IG's claim was that the indicator light was a bug (erroneously indicating that the camera was in use), but the app wasn't actually accessing the camera.
Haven't tried this app, and it may be more horrid do install an app but the only other way I was thinking was manually via CSV and generate it with dummy data from some other misc data on the web....
I should do it actually. It helps break the addicting nature of social media apps and ruins the networking effect.
If you actually want to mess with the algo you probably need to have partially real and partially fake data, or disruptive data such as rotating the names, e-mail address, and phone numbers within the same contact list so that they don't correspond to each other.
Outlier rejection of completely random data for these sort of graph-connected networks is exceedingly easy and unlikely to screw up their algo.
Do you know of an app that does that? I do not know much about Android development, maybe this should be my first project? It is always easy to unfuck it, just delete all contacts, and import your actual contacts with their correct details from a file you exported and backed up.
But... for how long do you have to keep the fake contacts and whatnot?
First off, not advocating a position just providing background.
The interpretation of GDPR by certain companies is that when someone requests "data deletion", they are to delete the association of the data points to "known identifiers" and are not required to delete the data itself. As the user has decided to disconnect their association, the data remains in the hands of the organization for analysis, look-a-like modeling, etc etc.
Scenario 1 - Insta didn't fully delete the associations according to policy and thus one of their processes is still linking the contacts.
Scenario 2 - Even with disconnected data associations, the ability of Insta to re-identify you was too easy and thus the contacts are showing up.
Either scenario shouldn't be viable under GDPR. If you're in the US, you're SOL (CCPA isn't as robust as GDPR and focuses more on 'data sale' and less on data privacy & protection).
I have a related story, WhatsApp permanently banned my account after I refused to give it contacts permission.
Longer story: I went to create my first ever WhatsApp account after I was invited to a friends group chat. I downloaded the Android app but, being aware of Facebook apps' thirst for slurping up all your contacts, I made sure to repeatedly deny contacts permission even though the app was annoyingly insistent that it needed to have it. I only wanted to access this one group chat so I didn't see why it needed it. After maybe 20 minutes in the group chat Whatsapp permanently banned my account. Appeals have been denied. I have now been unsuccesfully trying to convince the group of 30+ people to switch to a different platform so I can participate :(
If I had to guess I’d say they banned your account for some other reason (doesn’t have to be a good reason, just some other bad reason) because I have the exact same situation (I use WhatsApp for just one group and nothing else and denied access to my contacts) and my account isn’t banned.
If they had a policy of banning everyone who doesn’t allow access to contacts, I wouldn’t be allowed back in the chat.
Not that Telegram is the most secure thing on the planet, but it has feature parity with Whatsapp for the most part and supports groups perfectly, in my opinion.
It's a much easier sell, I think. Plus it's definitely more secure than Whatsapp.
Not only that, but I do not know of an open source phone that is commercially available and has been audited to not do nasty things behind your back. I am not sure about the progress of Librem, and it is a sad state that we only have that, or will have that. Those phones are spy devices, I look at them as I look at Windows 10. I am never, ever, going to trust it. When I take a photo, I expect at least the thumbnail of it to get on some server. Am I too paranoid? With Google, or Chinese crap, I do not think so.
Of course you could take a similar argument or stance when it comes to desktop, and indeed, just look at all those CPU vulnerabilities. I think technology is at a really sad state. Most things are closed source (what does your keyboard do?![1]), and we have no goddamn way of knowing what is happening behind our back unless someone reverse engineers it, but the fact that it has to be done is an issue to me.
People in Europe need to keep hammering US companies with GDPR violations relentlessly. At some point, if a company keeps violating GDPR, do the executives become criminally responsible? If not, they should be.
I wish the US had something similar at this point.
I worked on a compliance effort for a large-ish American tech company. Imagine a lot of boxes and arrows diagrams and plausible deniability. I was told we had to "balance risk", which in practice meant all data was available to everyone with no governance strategy. It was impossible to enumerate all the places data might be collected and stored, let alone find the appropriate person to handle the deletion request. We ended up basically handling the "happy path" and pretended the known unknowns didn't exist. This gave everyone enough plausible deniability to say "well the policy is X" with no means, technical or otherwise, of checking compliance.
CCPA isn't as strong as GDPR[0]. Also, not sure if you're referring to Prop 24, but it's terrible[1] for various reasons, including that it can't be updated by the legislature.
Agreed. I work in information security (risk, compliance, and governance) for a EU-based company and we have a ton of “our lawyers said X” and “we interpret GDPR as Y” kind of policies because there have not been enough court cases to really understand what GDPR actually means.
From a security and privacy standpoint I think it’s got great potential but there are too many open questions about enforcement and it muddies actual compliance.
Yeah, same with governments. And I think Hanson’s razor is generally a pretty bad rule of thumb, considering that negligence is essentially malicious anyway.
Yeah, in some cases I have started going with "this might be malice and it might be incompetence, but since the behavior is the same either way who cares?"
I'm not really attempting to use precise legal terms, because those vary a lot. For instance, "actual malice" in US libel law doesn't require intention or desire to harm (the normal dictionary definition of "malice"), but can simply be negligence (making a statement with a "reckless disregard of whether it was false or not").
My point is that, if you ought to have done something, and you didn't, you're culpable. And I would certainly use the word "malice" (in the everyday sense, not in all legal contexts) to describe someone who knows they are cutting corners that might have damaging consequences, but cuts corners anyway. I think it's malicious to harm or endanger other people to make a buck.
When it comes to Facebook this statement should be reversed unless stupidity is explicitly proven or is contrary to the bottom line (as in it causes them to gather less data about people).
Hanlon's razor needs to die, it extoles gullibility to the delight of every abuser with more than two brain cells. Even young children instinctively figure out the 'it was merely an accident' excuse for their misbehavior. Following Hanlon's razor would have you outwitted by toddlers.
>Even young children instinctively figure out the 'it was merely an accident' excuse for their misbehavior. Following Hanlon's razor would have you outwitted by toddlers.
Hanlon's Razor is absolutely valid.
That said, I'd posit that stupidity isn't accidental and shouldn't be excused. Rather it should be stomped on just as hard as malice since, as others have pointed out, the effect is the same.
Having worked in politics, where Hanlon's Razor is often used to excuse malice, I'd suggest it is not valid.
People have reasons for acting incompetently - often those reasons are because the system is set up to enable that, in one way or another.
And it's most often the case that system has been set up intentionally in that way (or has been manipulated to get that outcome) - there's malice in the organisational big picture.
The effect is the same and the cause is the same as well.
Facebook hires many of the greatest engineers known to man, and has them build things like HHVM so that others of their engineers can hack on monstrosities in almost-PHP.
You're going to see both good and bad Facebook engineers.
It should be clear to anyone here that the moment to act on this is before your contacts get copied, not trying to get them un-copied later. Think of it as a betrayal of your contacts, that you sell them out (then ponder the likelihood that none of yours have done the same, it's probably infinitesimal.)