[pyt]

I contacted LG last month regarding their use of the Facebook SDK's automatic event collection in their ThinQ Android app. They responded and told me that they're disabling it in an upcoming release (incidentally, today's). If a single email is all it took to get a company with over $50 billion in revenue to disable Facebook's tracking in one of their apps, I really don't think that these companies are sharing data intentionally.

What justification does Facebook have for keeping automatic event collection turned on by default in their SDKs? Why can't they enable it only when the the user has explicitly opted in (https://developers.facebook.com/docs/app-events/gdpr-complia...)? They even say, "you need to ensure that your SDK implementation meets these [GDPR] consent requirements."

[techslave]

news for you: it wasn’t your email that caused it. the change was already underway

[nh2]

> I don't think these companies are sharing data with Facebook intentionally.

That would imply they are incompetent and negligent.

Would one not expect large companies like LG to have internal security and privacy reviews of the software they publish, and know very well what they are doing?

> What justification

Their core business.

[kelnos]

> That would imply they are incompetent and negligent.

Not really.

Product Manager: I want to be able to support Facebook login for our app.

Developer: OK... [googles for how to do that] ... We can use the FB SDK for that.

PM: Cool, let's do that.

Dev: [implements it]

Nobody really does much more due diligence than that most of the time. I suppose you could argue that's negligent, but if that's the case, then pretty much every company that has an app with login functionality is probably in that boat.

[saagarjha]

> I suppose you could argue that's negligent, but if that's the case, then pretty much every company that has an app with login functionality is probably in that boat.

I think every company that does this is negligent. Audit your dependencies, people!

[asutekku]

As nice as it would be, auditing everything you use is almost impossible, especially for smaller teams.

[saagarjha]

See, one way I often solve this is by reducing my reliance on third-party dependencies.

[Draiken]

Which is also a hard thing to do on small teams.

I think for small teams this is a near impossible task. For big corporations it should be doable and expected. They actually have some leverage to push the other big companies to track less. Something a small company simply can't do.

[nh2]

Is this really a compelling argument for the given case? A detailed audit does not seem necessary here:

This is not some surprising behaviour hidden in some random dependency.

This is the Facebook SDK, from Facebook, and everybody knows what their business is.

[type0]

> This is the Facebook SDK, from Facebook, and everybody knows what their business is.

Ignorance is a bliss. Talk to some people that still use fb after their scandal and you'll get "who cares, everyone is tracking users and selling data anyway" as an answer.

[dylan604]

Exactly. A simple online search for the phrase "Facebook SDK" will reveal plenty. It's not like you need forensic accounting level research to see that the SDK does much more than provide a simple login mechanism.

[eitally]

It really isn't. Full stop.

[yjftsjthsd-h]

> That would imply they are incompetent and negligent.

I'm surprised that you consider that unlikely/surprising. Lots of companies act in technically incompetent ways all the time

[DyslexicAtheist]

> That would imply they are incompetent and negligent.

> Would one not expect large companies like LG to have internal security and privacy

can't tell if this is sarcasm because this is exactly what they are. an OEM is just packaging stuff and always bigger than it's parts (in this case meaning the knowhow of their otherwise bright and knowledgeable engineers is lost in the organization as a whole). the biggest companies are always the dumbest places where no matter how bright you may be the management layers above make sure that this gets cancelled out (I've worked at Samsung, Nokia and Ericsson and it was the case in all these places). Doubt LG would be any different.

[floatingatoll]

Given Google's hostility towards the glacier-slow release schedules of Android updates and the continued embedding of vendor apps that screw up Android by phone vendors such as LG, I'm already quite biased in favor of "companies like LG are incompetent and negligent", based on the evidence available over the past several years.