[simonw]

I'm really glad this is possible, because it's important for dispelling conspiracy theories.

Plenty of people are convinced that Facebook's apps spy on them through their microphone and use that to show them targeted ads.

The easiest way to disprove this is to monitor the traffic between the apps and Facebook's servers... but certificate pinning prevents this!

(Not that anyone who believes this can ever be talked out of it, see https://simonwillison.net/2023/Dec/14/ai-trust-crisis/#faceb... - but it's nice to know that we can keep tabs on this kind of thing anyway)

[saagarjha]

Unfortunately while this thing helps it doesn't actually conclusively stop any speculation. If I wanted to spy on you via app, I would encrypt the data inside the HTTPS stream and only decrypt it on my server.

[ncann]

Pretty sure anything you encrypt client side can be decrypted client side, as long as you have control over the binary and OS/hardware. It's just a matter of effort.

[ridafkih]

Not the case with asymmetric encryption, you could encrypt with a public key and only the server's private key would be able to decrypt it. Not even the client could.

[ghotli]

I think the person you're replying to perhaps meant that if you have total control of the hardware and the binary you can pull the value prior to being sent to the encrypt function.

[ridafkih]

Fair! In that case, yes you totally have access to the payload before its encrypted.

[10000truths]

Asymmetric encryption is very computationally expensive - there's a reason that it's typically only feasible to use for signing a hash or as part of a key exchange to agree upon a shared symmetric key.

[tnmom]

Envelope encryption works for that - client generates a random symmetric key, encrypts the data symmetrically, then asymmetrically encrypts just the key (which is then thrown away on the client). Both the symmetrically encrypted body and asymmetrically encrypted key are sent.

[pests]

You just modify the client to leak the data before it's encrypted symmetrically. Keys don't matter at that point.

[poyu]

They only need the server's public key to encrypt it client side. But if all you want is to see if they're spying on you, you could go one step above and see if they're calling system APIs to your mic/camera/keyboard, instead of observing the network activities.

[actionfromafar]

And if spying works without using the microphone or whatever, the alternative is almost worse - it means Meta et al has such a good virtual “mind reading” Skinner model of you that they have a good hunch of what you will talk and think about. If we are not there yet, it’s only a matter of time with enough machine learning…

[HaZeust]

This is always what has screwed with me the most about this AdTech thought experiment: Both likelihoods (listening-in vs astute prediction models) are equally bad; and whoever downplays either as "business as usual" or "humans are predictable", respectively, ought to be called out for it.

It's NOT good when you listen to conversations without explicit (or implied, for that matter) consent, just as it's equally NOT good to exploit human predictive models to such a precise degree for profit. You SHOULDN'T be complicit to these practices, and saying that it's "just what it is" is one more person in the arena that's throwing their hands up to allow it. Attempt for change is ALWAYS better than apathy for complacency - before every interaction exists to become a transaction.

[hunter2_]

My hypothesis is that it's not listening nor is it predicting based on the individual, instead it's reacting to web surfing behaviors of your associates.

For example, you and your partner use the same wifi at home a lot, and you both visit a close friend's house and use their wifi every time you're there. Services that you use in both places (e.g. Facebook, Google) now have a graph where there's a very strong link between you and your partner, and a weaker but still important link between the two residential IP addresses.

Now you're at home, just had dinner with your partner, and you say you are considering buying a guitar. An hour later you open your phone and see ads for guitars. "Honey, did you search for guitars already?" "No, why?" "Oh no! It heard me! Or it knows me too well! Uninstall all your apps!"

No, what happened is that last night you were at that friend's house, told your friend about your guitar desires, and all morning that friend has been doing a bit of market research themselves, perhaps to see what you're on about and maybe consider getting it for you. The graph connects the dots, and advertisers suspect that perhaps guitar ads should go not only to your friend, but also to you (by that weak association) just in case you might be the one who buys the guitar.

The uncanniness is a function of you having no idea that your friend was building up this slight likelihood that you're about to buy a guitar, combined with even a very weak signal poking out above the noise given no other recent signals.

[simonw]

My theory is that we're all just WAY less interesting than we think we are.

Male, 40+? A bit more likely than the average human to have a mini mid-life crisis and decide to buy an electric guitar.

These platforms suggest SO many ads to us that even if 99% of the suggestions are total junk that we ignore without even registering, the 1% that represent a lucky roll of the dice still really stick in our memories.

[actionfromafar]

If you can come up with this heuristic, you can bet your ass that some ML model can come up with something much better.

[HaZeust]

That's still dystopian and STILL exists for the sole purpose of interactions to finalize as a transaction. It's not a good thing.

[matheusmoreira]

> just as it's equally NOT good to exploit human predictive models to such a precise degree for profit

It should be straight up illegal.

These capitalists insist on nonsense like copyright and intellectual property. They do everything to defend their precious "IP". So why is it that we don't own information pertaining to ourselves?

Personal information should be toxic to them. There should be so much liability involved corporations should be scared to know even a single bit of information about us. They should be scrambling to forget all about us the second our business with them is done. Predictive models? They should be too scared to even have a credit card on file.