IMO Apple should provide the user with audit logs of which photos/videos were accessed by each app. It might be a long list but it alleviates doubt and would put huge pressure on reputable developers to ensure they don’t get caught doing things the user wouldn’t have expected (even if the user technically allowed it).

Might be related

"Facebook patent uses image recognition to scan your personal photos for brands" https://www.fastcompany.com/90333067/creepy-facebook-patent-...

"faulty pixels, lens scratches, other ‘camera artifacts’ and metadata within the image would be used to associate Facebook users with particular images. " https://www.imaging-resource.com/news/2015/09/18/facebook-wa...

The people working at Meta are generally pretty tech savvy, while the general public isn't. Meta is an extremely rich company, and their employees are well compensated.

My question then is, when does this exploitative behaviour become criminal.

And if it isn't criminal, how do we make it so.

If you are working for Meta and you consider yourself a moral person, you should quit your job.

There are more important things in this world than making money. Help build a better world. You can live a comfortable life without helping Mark Zuckerberg ruin the planet. You can even make a lot of money, if that is what you dream of.

Meta is by far the most shamelessly insensitive tech giant. They must actively seek out the most morally depraved devs, I can only imagine the people in those meetings when discussing some of these implementations must have been laughing at how devious they are.

This should be a non-issue if you use Apple’s privacy settings to limit Facebook to only have access to the photos you want to use.

I’d highly recommend never granting any app full access to your photos.

Years ago, I installed the Facebook app on my phone. I immediately uninstalled it when I saw, horrified, that it had hoovered up all my photos and uploaded them to Facebook (there was no fine-grained storage permission at the time) "for my convenience". I never ran their app on my phone, again.

Meta isn’t just crawling your photos. If you gave it permission not just “While using the app” to anything, it’s gathering up metadata about you and sending it home. Contacts, emails, location, imei, photos, video exif, browser history if you happen to open a mini-safari view from an ad, app usage statistics, your IP address, your device information, anything they can gather - they are.

I uninstalled Facebook, Meta, MetaQuest, Instagram and deleted my accounts. I’ll never put one of their apps on my phone again.

Some of these comments are interesting to read. Haven't we learned from Cambridge Analytica in 2018? Or the various other scandals over the past 20 years? I can understand normal people not caring but how people on HN still use Meta apps is beyond me.

I've removed all Meta apps other than Whatsapp (and I don't love that). I haven't had the Facebook app on my phone in well over a decade. Had Instagram for a while, I was casually active on it, but Meta just keeps convincing me not to be trusted.

Facebook mobile is a suboptimal experience, which is fine, it just reminds me to use it less.

A few years ago I scrolled Facebook on my phone and suddenly saw a post with a picture from my phone and my heart skipped a beat. It was not a real public post, but a suggestion from fb ala "share this pic with your followers? This is how it will look like".

Immediately removed all permissions, insane to take a photo from my camera roll and do that. Imagine if it was some nsfw picture suddenly being integrated into my feed while scrolling in public or so..

I finally got around to rebuilding my pihole. My wife's phone as absolutely rife with requests for various Real-Time Bidding (RTB) domains. It was a flood of them like I really haven't seen before. I didn't do much troubleshoot, but when we looked at her phone, the Facebook app seemed like the likeliest culprit. (Facebook, after all would be the best-placed to have the user data required to actually participate in RTB.)

Once we deleted the app, the RTB requests went away for good. I've had pihole previously, and she's had the Facebook app previously, and we never seemed to have this issue. Perhaps Facebook is drudging up whatever profits it can since it's mostly cornered the population, and is potentially in decline.

Facebook seems like an exceptionally morally rotten company, which I guess just stems from Zuck being in control.

It sounds like this may not be happening on iOS. I have not found a way to access the Photos library, without the user being asked for explicit permission to do so.

But I also haven't really tried. I use Photos and the Camera in some of the apps I've written, and fully expect users to be asked. I ask for minimal permissions, as well.

If Meta is bypassing user permission, then that's a truly dire security breach, and Apple needs to bring down the banhammer fast.

A gentle reminder to the readers here at HN that it doesn't have to be this way. Computer Security is a solved problem[1], and has been so since the 1980s[2].

It's my strong opinion that the only methods you've seen to this point[3-7] were deliberately chosen to be ones that don't work, and make things worse in the long run.

It's my hope that things will change for the better, but when I think about what group could lead that change, there's No Such Agency.

[1] https://en.wikipedia.org/wiki/Capability-based_security

[2] https://en.wikipedia.org/wiki/Capability-based_operating_sys...

[3] https://en.wikipedia.org/wiki/User_Account_Control

[4] https://en.wikipedia.org/wiki/AppArmor

[5] https://en.wikipedia.org/wiki/Security-Enhanced_Linux

[6] https://en.wikipedia.org/wiki/Application_permissions

[7] https://en.wikipedia.org/wiki/Trusted_Platform_Module

Zuckerberg: Yeah so if you ever need info about anyone at Harvard

Zuckerberg: Just ask

Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend's Name]: What? How'd you manage that one?

Zuckerberg: People just submitted it.

Zuckerberg: I don't know why.

Zuckerberg: They "trust me"

Zuckerberg: Dumb fucks

Instant messages sent by Zuckerberg during Facebook's early days, reported by Business Insider (May 13, 2010)

> ... it's not available in Illinois or Texas due to those states' privacy laws.

This stuck out to me. How are laws like this typically applied? My guess is it's geo-based only, right? That is, take an Illinois resident who spends 99% of her time in her home state - if she travels to California for a weekend, can Facebook (legally) grab her camera roll data during that time? And vice-versa, myself, as a CA resident who spends 99% of his time at home - if I go to Texas for the weekend, Facebook is gonna have to wait until I return home to (legally) access my camera roll?

GrapheneOS is too precious. Being able to pretend like the app has full access to my gallery, while only specifically allowing certain directories or photos, is awesome. I've actually discovered that selecting a photo in the gallery and "sharing" it to a Messenger chat skips the need for it to be in the allowed directory, so I've been doing that too. Anyone know if that's working as intended, or if it's a potential security hole?

And yes, putting Messenger on my GrapheneOS phone is dumb, but my normal people friends all use Messenger, so that's where our group chats are. Best I can do is fail to convince them to install an XMPP client and join my self-hosted server, or minimize the impact of Messenger.

Facebook has been doing this for well over a decade. I once got a notification from the Facebook app, "Do you want to share this photo with Kim?" because Kim was just randomly in the distant background of a photo I had taken of my daughter at kindergarten drop-off. I deleted the Facebook app that day and I make a point to never give any social media app access to my photo library.

Meta can't scan my phone if I don't install Meta's apps on my phone.

A web browser on the phone removes the need for a lot of "apps".

The big tech companies are now becoming archetypal evil — directly analogous with the ancient stories of 'deals with the devil'.

The devil cannot take your soul, but if he can get you to agree to a deal... well... good luck with that.

Here, the devil gets you to agree to some nice beneficial feature like "camera sharing suggestions ... for personalized creative ideas, like travel highlights and collages" or "cloud processing" for whatever benefit. AAaand you do, and there goes all your private photos. And the devil can rightly claim "but this is a mere contract dispute and the user agreed to all of this".

The ancient tales were supposed to be warnings, not How-To guides.

And of course now, these modern devils are just flipping the "Agree" button under the software all without your actual consent.

I do not let ANY Meta property or software run on any of my devices. If only everyone did the same.

Mmmh well a few months ago there was a news that Facebook will prompt you to ask you if you are ok with your personal pictures being used for training, so it's not really surprising ? Besides, it's meta, what do people expect seriously ?

One way to deal with the current mess is to use a dumb enough phone only for banking/insurance/chat, a dumb phone for calling and texting, and a camera for photos. It’s less convenient but it’s better for privacy.

The setting was turned on for me. And there is no way I explicitly granted access.

I don't understand why Mark Zuckerberg isn't in jail, or via a "no admission of guilt" agreement, prohibited from being a corporate executive, at this point.

My ungranted personal information should be mine, with force of law, just as much as Meta's trade secrets are theirs.

Is it 2012? We've known this forever.

There are hundreds of ways to secure a laptop and ensure your privacy. Why are there almost no good ways to use a smartphone in a secure and private way?

Well, the good news is: I think this finally gave me a good reason ( one she would accept that is ) to convince wife to drop FB from phone.. yay...

Meta might be secretly scanning your mom’s phone’s camera roll.

Seriously how many of us are still on FB? How many of us have friends and family who still are?

My last impression of Facebook was that configuring the account settings had become more like setting up a fresh raspbian install or configuring a phone. Too many privacy intruding settings to count. I get the feeling that most people don't care enough and just leave everything on default, which is on.

I think Facebook is deeply scammy now.

I deleted my accounts a few years ago and never looked back.

HN changed the title

Original title chosen by the author:

Meta might be secretly scanning your phone's camera roll - how to check and turn it off

Xiaomi's HyperOS has many flaws but one great thing it does is have an app behaviour settings page that shows what app used what permission and when.

It allows you to toggle permissions on a per app per permission basis but sadly this toggle doesn't always work.

Still useful knowing how much you get spied on.

Opened the article and was immediately turned on by their cookie popup:

   We Care About Your Privacy 
   We and our 924 partners store and access personal data, like browsing data or unique identifiers, on your device.

Some years ago I stopped used Snapchat, because Snapchat would occasional notify me a "highlight" with a picture from my camera roll. To do that it meant that Snapchat need to have all my pictures on their server, I figured. Not what I signed up for.

Better yet - use the phones built in app restrictions to block or selectively allow photo access.

When a corporate does shady shit the last thing you'd do is trust the tools they provide to limit that. That's just insane.

>"People just submitted it. I don't know why. They 'trust me'. Dumb fucks." -Mark Zuckerberg

Could a proxy service (like Charles) see if photos are leaving your device? It seems "scanning your photos" could mean doing something on device or sending your data elsewhere. The former seems like it would be a much bigger scandal.

Honestly, along with this recent news - Meta seems to be its most brazen phase since going public in 2012 https://www.adweek.com/media/whistleblower-alleges-meta-arti... (See the section Recovery from Apple’s privacy changes) Cambridge Analytica was perhaps more about incompetence than complicity. But the patterns now seem intentional, and reminiscent of its early days documented well in Steven Levy's book.

They’re not, and they can’t, because I don’t use Meta.

I used to work at Meta (back when it was just Facebook), and I pioneered a similar effort back in 2016-2017-ish. Now, I don't know anything about the current version (which seems to offer cloud processing as well), but when I was there, the effort was entirely local to the phone.

We had caffe2 running a small model on the phone to try and select and propose photos for the user to share.

We were trying to offer an alternative sharing model that both made sharing easier, while offering the user the controls that made them feel comfortable with photo suggestions. (for those who never noticed, we launched Moments, which was an app that allowed automatic private sharing of your camera roll with a close selection of friends and family, but the experience wasn't great because it was centered around group events and sharing photos with the people who were there, not connecting with the ones who weren't)

Ultimately, it was scrapped, because we were paranoid that we hadn't come up with a user experience that made it clear that this was happening only on the phone (I think we even tried a notification model), or that we'd accidentally surface someone's boudoir photos, and we were too worried about the kind of knee-jerk reactions that you're seeing in this thread.

I'm guessing that someone at Meta either had a more successful go at the UX, or they feel that the opinions about AI have shifted enough that there will be less fear.

Upon reading the article, it looks like there are two options, one which is local-only, and similar to what we built, and a second one which tries to make better suggestions using online, and that is only enabled after asking the user.

I would suspect that the cloud processing version also runs a local model to attempt to filter out racy photos before sending them to the cloud, but I don't know for sure.

I think the article is a bit disingenuous in it's presentation, but it's possible that I'm biased because I know how a similar thing was built, but it definitely sounds like fear-mongering.

I remember when Facebook hired George Hotz. The idea was to circumvent phone security and privacy settings.

Why on earth would you install any Meta spy app on your phone at all?

And why would you give that app full photo access?

It better not be. I have no app and no account on their service. They bring no value to the world.

this benefits few and violates the privacy of millions… can we get a some fckin privacy laws yet

It's not hard to live without any Meta apps in US.

Some other countries require WhatsApp though.

We are talking about Meta, the company that:

-was rhe main party in the Cambridge analytica saya misuse scandal https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Ana...

- Was responsible for the genocide in Myanmar https://time.com/6217730/myanmar-meta-rohingya-facebook/

- Actually pirated books to train their trash llama AI and lied about it https://arstechnica.com/tech-policy/2025/02/meta-torrented-o...

- Had a sniffer backdoor on Android to track you even through VPN and incognitomodes, an approach shared with Yandex

https://localmess.github.io/

- The CEO repeatedly lied to congress https://www.independent.co.uk/news/world/americas/us-politic...

- They spent billions on the metaverse which shows how stipid and out of touch they are

And now we are surprised that they are sniffing your photos. Please, I won't be surprised if they sniff your photos even if you don't consent. At this moment it's absolutely clear that they are an adversarial actor which can't be trusted with absolutely anything.

The kind of shady practices we have seen from this company, any self-respecting individual will be ashamed except Zuck. He has done more to rot the collective brain of a generation than any single figure in tech history.

The truth is, Meta isn’t building community, it’s building a surveillance hellscape where every click, glance, and pause is commodified. If you work there and still believe you're doing something good for the world, you're either delusional or willfully blind.

For what it's worth, I don't think facebook are scanning your photos.

the biggest reason is that probably enough of a ToS violation to get them yeeted from the app store.

It looks like its using metadata to work out when to nagg you.

>might

I appreciate your objectiviy but they definitely are.

Why do apps request persistent access to camera roll at all? I don't want to manage a custom set of pictures. I want to send a picture now by selecting it.

Apps like Messenger, Telegram and WhatsApp refuse to show me the regular old photo picker. I have to enable "limited access" and select the same photos twice (first add to the set, then select for sharing). It's infuriating.

PS: The exception is media management apps, but those are extremely rare and irrelevant in the context of social media and communications apps.

undefined

Meta abuses permissions when given? Shocked, I am SHOCKED I tell you. Next up: Google scans your emails, news at 11.

How is the app accessing my photos on iOS when I have not given the app permission to access photos? Did they really find some exploit around this? Or is this photos permission really not the only way?

1 : open the Facebook app.

Nope... I'm using a link to my Facebook homepage saved on the home screen.

[dead]