William Hayward

William Hayward

Software Developer

© 2020

Hacking The System

I’m writing this from a remote location, far from the reach of the authorities. The ZuckPolice are tracking me and could close in at any moment. All because this week, I hacked Facebook.

So, let’s talk about APIs. We all know them, we all love them. Or at least some of us know them, and at least I love them.

Every major social media website has an API. Twitter and Reddit have fantastic ones, with clear documentation and permissive usage licenses. Tumblr has a relatively extensive one and some frustrating caveats about not using it to recreate the terrible, terrible Tumblr app.

And then there’s Facebook.

Facebook has an API, it’s true - and it’s also a nightmare to work with. For a company that is so willing to do some dodgy things with our data, if someone looks twice at certain API functions they will yell and scream until the cows come home.

Okay sure, I get why they limit that but it’s still annoying. What’s worse is how unintuitive the documentation is. This is largely due to a major shift in the API internally, which is more awkward timing than anything, but it’s resulted in a few inconsistencies around the API. Frustrating.

The solution, of course, is to just skip the Facebook API and develop our own. Between an unofficial chat api (https://github.com/Schmavery/facebook-chat-api) for Node JS and use of Puppeteer (https://github.com/GoogleChrome/puppeteer), we should be able to do anything a regular user can do. So far I’ve developed the systems for adding friends and scraping the newsfeed, with facebook-chat-api able to take care of most of our messaging needs.

How Puppeteer works is that is runs Google Chrome in headless mode (as in, without any visual interface) and uses a sophisticated API (because we all love APIs) to simulate user input like the cursor and keypresses. Speaking technically for a moment, this is pretty nifty.

My second biggest fear with this is that because I’m using my own account to test, there’s a 20-30% chance that I might get banned. In aid of this, we’ve made a Facebook account for the project, but currently it doesn’t have enough friends to actually like… work. If you want to help us out, adding John Provocateur https://www.facebook.com/john.provocateur.9 on Facebook would be amaaaazing.

My biggest fear with this though actually pertains the project as a whole. What is the reasonable ethical limits of privacy?

Using the Social Dial, someone can add themselves on Facebook. As it stands, doing so will include the user in the project until they unfriend John Provocateur. Their statuses will be visible in the “newsfeed” functionality, their name will be listed as a message-able friend, and an arbitrary user can comment on their posts through John’s account.

Is this okay? By adding John as a friend, has the user signed up for this?

The original plan with this was to use dummy data to avoid interacting with the public, but it became apparent that this somewhat undercuts the social commentary of the device.

Lorna is coming in at some point today to chat to us about this, and honestly I’m not sure what the solution will be. Only enabling interaction to a small subset of users? Going back to the dummy data idea? Or maybe we will just let John loose on the world and see what happens.

What do you think?

WillHay out