Facebook Denies Accessing Users' Text Messages 130
quantr writes "Facebook is being accused of snooping on its users' text messages, but the social network says the accusations are inaccurate and misleading. The company is among a wide-ranging group of Web entities, including Flickr and YouTube, that are using smartphone apps to access text message data and other personal information, according to a Sunday Times report (behind a paywall). The newspaper said Facebook 'admitted' to reading users' text messages during a test of its own messaging service. The report also says information such as user location, contacts list, and browser history are often accessed and sometimes transmitted to third-party companies, including advertisers."
Worst? (Score:5, Informative)
What's worse? The the fact that they have to deny these kind of accusations or the fact that they're probably lying?
Re:Worst? (Score:5, Insightful)
The fact that any old app can apparently access your contacts, text messages and browser history.
Re:Worst? (Score:4, Insightful)
Re:Worst? (Score:5, Informative)
With iOS, apps just simply have access to this data by default. With Android, for each app you have to specifically grant access to these things while installing the app.
Re: (Score:2, Insightful)
With Android, for each app you have to specifically grant access to these things while installing the app.
And that is the flaw. The right way of doing it is to let the user grant apps rights to individual resources, possibly temporarily.
Re:Worst? (Score:4, Insightful)
Re: (Score:3)
This will only really work if it's a standardized OS-wide feature.
Re:Worst? (Score:4, Informative)
Look for:
LBE Privacy Guard
Permissions Denied
Re: (Score:2)
Re: (Score:3)
Just be aware of the limitations of the model LBE uses. All root apps like it - including DroidWall, which I use as well - are by their very nature, leaky. If they crash and you don't realize it, they do nothing. If they fail to autostart and you don't realize it, they do nothing. In that small window between when Android boots and LBE/DroidWall autostart, they do nothing. The last case can be helped somewhat by startup managers.
PDroid [xda-developers.com] seeks to shore up those shortcomings, however, it is only available fo
Re: (Score:1)
It amuses me how your definition of "written incorrectly" means "not written for a blatantly non-standard use of the Android environment". In NORMAL Android development, the developer can explicitly assume that if permission was NOT granted, the program will simply not exist on the phone. That is how it's designed.
But, sorry that following the design is clearly "incorrect" by your cockamamie idealism. We'll try to anticipate the entire API being pulled out from under us next, because I'm sure you'll bitc
Re: (Score:2)
What if my device has no GPS? what happens then? how about no 3g/4g/lte radio and therefore no contacts?
Re: (Score:2)
How do i verify that the dev is being honest?
Really as a user, what I would like is a "Verified by Google" program. Submit your app to google along with $5, google takes a look at it, and says, "yep doesn't do anything sneaky, etc" and gives it a filterable attribute to the app so I can see only those if I want.
Maybe it should be $20 for the first submittal, and $5 for updates, seems like "git diff old_app new_app" would work well enough to simplify the looking at updates a lot.
Re: (Score:1)
It is in Cyanogenmod 7. In my experience, apps do not handle have permissions removed gracefully, and often crash. If you need to use an app there are times when there is no option but to grant access.
Re: (Score:1)
BTW, if you don't think you have a Facebook account, try to think if someone who uses Facebook has entered information about you into their phone book... I know I received a suggestion to friend someone because I used to have their co
Re:Worst? (Score:5, Insightful)
Re: (Score:2)
The first five I found on the market all required full access to my address book. WTF? I skipped installing them, but I'm sure that they'd have worked without this capability. The other big UI problem is that the apps don't say WHY they need these privileges.
I'm not certain, but I think that some people are now putting QR codes onto their business cards that have their contact information embedded. I know one person that has a QR code that takes your phone to his website, but was thinking about trying to get the business card reprinted with his information in VCard format within the QR code instead. I'm guessing that was the reason for the address book permissions (to add to it, not to read it), and that if you had that application, you could add a contact inst
Re: (Score:3)
The first five I found on the market all required full access to my address book. WTF? I skipped installing them, but I'm sure that they'd have worked without this capability. The other big UI problem is that the apps don't say WHY they need these privileges.
I'm not certain, but I think that some people are now putting QR codes onto their business cards that have their contact information embedded.
I have seen an actual instance of this: a local magazine publisher here prints his business card in the mags he publishes and it contains a QR code with his contact info. If an app could write to the contact list, it could add that information automatically.
But on the other hand, QR codes can be used for other data, too, so an app should be installable with or without this privilege.
But on the third hand, if an app can't to something that it promises, or it gives the user an error message stating that it do
Re: (Score:2)
I looked into doing this for my cards, but found out that android will not import contact info directly from a QR code, the best option is to link to a vcard, and the user can download that and then import it. So like 6 clicks to do that, I was hoping for "scan code -> "would you like to import this contact Y/N" -> Done"
Re: (Score:2)
The other big UI problem is that the apps don't say WHY they need these privileges.
This is the biggest problem I have with the way the permissions are done. I can never tell why various apps require the different permission sets. I want to know why that game I installed needs my address book or the ability to make phone calls. What is it going to do? Call my friends & tell them I just passed the 2nd level?
Re: (Score:1)
That game needs access to your dialer so that it can be paused whens someone calls you. I agree that the warning is misleading, and I believe it's something the Android developers are working on.
Re: (Score:3)
Why should you have that power.
If I write an app and to pay for it I put ads out you have the right to install it or not.
As long as it is made clear what I have access to, If you do not like it then do not install my app.
Being able to install my app in any way you want on a free app is not a "right" that you have.
You are really going to blame Android for telling you what an ap wants and asking if you really want the program?
How much are you paid to make Android seem the same as iOS here?
Re: (Score:2)
Re: (Score:3)
It is not.
Not that I know of.
The point I was making was that the programmer gets to determine what permissions he wants.
The user gets to determine if he wants to give that stuff up to have the app.
This is not only how it works but in reality it is exactly as it should work. The only times that you have problems are when a user screams "I did not read it!" or when a user screams "I want the stuff you made but I want it how I want it! Just give it to me anyway!".
In both of those cases I am ok with the user ge
Re: (Score:2)
Re: (Score:2)
But users cannot sanely determine whether they should give the app permissions, unless the app explains why it wants those permissions.
Yes they can.
If I want an App and I have questions about why it needs certain permissions I can ask.
Most market Apps have comments about permissions. Sometimes just looking I can get the answer. If I need to ask the developer then my download can wait till I have my answers.
If I install a clock widget and it asks for permissions to send text messages to pay numbers, I don't trust it. If the clock description lists a feature to send text messages to another phone when a user-defined timer goes off, I might trust it. (And it would take more than just that description to make me trust it.)
Exactly.
I do not really know what your problem is. In 90% of my downloads a quick check of the permissions it asks for and the comments section lets me know if I should download or not. the other 10% might require a little effort on my p
Re: (Score:2)
Re: (Score:2)
Sounds to me like on your phone developers that do a better job are more likely to be installed on your phone.
So....
Nothing broken here. All is working as intended.
Re: (Score:2)
Also the reason that a QR code reader may want full access to your contacts list is because most of them will read contact QR code. One click and full contact information for a person is added to you list.
Re: (Score:2)
The problem is that Android offers apps no mechanism to ask for permissions after installation, like there was in, say, J2ME phones.
So apps need to ask upfront for all permissions which they might need to support all of their features, even if some of those will never be used.
In your QR code example, if the app features a way to, say add a contact from a QR code, or generate a code for a given contact in your address book, it must have that permission, even if most users will never need it.
As an Android dev
Re: (Score:2)
google googles can read QR codes, not sure which permissions it needs, but as google already has access to my contacts, I'm not sure i care about that one.
Re: (Score:2)
Re: (Score:2)
In iOS, applications don't have a lot of access to personal data to start with - and certainly not to read SMS (although apps can send using an Apple sanction UI only). They do have access to the contents of the address book, but this is looks likely to change soon.
Re: (Score:1)
They have access to my photos, videos, calendar and contacts that I know of. I consider that a lot of personal data. But I don't know which apps have access to what on iOS, where as I can see that per app with Android.
Re: (Score:2)
I think the point here is that whilst applications do indeed have access, this is often mediated through Apple's user-interface in each case - which I suspect you'll find is actually provided by another process within a different sandbox. This means that rogue applications are not hoovering up your data without user-interaction.
Re: (Score:2)
On iOS they do not have access to your photo's, video's or calendar's.
They can however display browser requesting you to select a photo or a video and then manipulate the particular one you chose. They cannot access them outside of the defined API.
This is one reason that all the "private photo" apps can only import pictures from iOS one by one, or by you uploading them via iTunes or the net etc.
Re: (Score:2)
That's changing in iOS 5.1 – users will have to explicitly allow address book access, just like they are prompted to do with GPS access today.
Re: (Score:2)
Apple spokesperson: "We’re working to make this [protecting user privacy] even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."
http://allthingsd.com/20120215/apple-app-access-to-contact-data-will-require-explicit-user-permission/ [allthingsd.com]
This was in answer to a Congressional inquiry (hopefully that inquiry will knock on Google's door as well).
I imagine Apple has your UI concerns in min
Re: (Score:1)
You can however decide not to install the app if you don't want it to have access to whatever it is requesting.
Re: (Score:2)
I'd say LBE Privacy Guard + DroidWall make an excellent defense, something that can be said to tip the scales in favor for Android, assuming a clued user and a rooted phone.
iOS has/had Firewall IP, but not sure if that has been updated to keep up with the latest iOS 5 vagaries. It also requires a jailbreak, which can be daunting, come iOS 5.1 and forced upgrades on restores. So, unless one gets that working, the only way to tell that an app is slurping from the message logs is to have the phone on a wirel
Re: (Score:2)
Fleshlight app? They make those now? Awesome.
Re: (Score:1)
On android, it pops up a warning at install time. I'm sorry, but if you didn't know facebook app accesses that info, who's fault is that? It's very clear that it requires access to every bit of personal info on your phone, down to your inbox if I recall correctly. It's why I don't have facebook installed on my phone, and why I refuse to upgrade several apps, I don't feel they need that level of access, so I don't let them on my phone.
Re:Worst? (Score:5, Informative)
Many smartphones come with facebook pre-installed. I had to root my phone to uninstall it.
Re: (Score:2)
2) Install granular permission control app.
3) Deny apps permissions you don't agree with.
Cyanogenmod 7.1 has granular app control built in, or you can use a 3rd party app like LBE Privacy Guard.
Don't use an Android device? Sorry, no advice for you. <trollface>I guess being able to control your device is important after all.</trollface>
Re: (Score:2)
Look, can you people stop saying this as if it's something guaranteed.
There are many hardware-firmware-Android combinations out there that just cannot be rooted. For example, Dell Streak 5 with Android 2.2
So.. what now, smart guy?
Caveat emptor. It's a foundation principle of Capitalism.
Re: (Score:2)
The report also says information such as user location, contacts list, and browser history are often accessed and sometimes transmitted to third-party companies, including advertisers.
That also caught my attention- location, contacts list and browser history, all to third-party advertisers: well, I think they are pushing it, and that people should either use a firewall (I'm no smart phone expert but I really hope there exists a firewall) or not install the app at all- can't one just access facebook from a smartphone's browser? Why would you need an app, especially if they spy on you in such a greedy and disrespectful way?
Re: (Score:1)
The fact that any old app can apparently access your contacts, text messages and browser history.
The Facebook app has a legitimate reason to read/write your contact data. It includes a feature that allows to to sync your contacts on your phone with your facebook contacts. It would be great, for example if it automatically updated the contact photos on my phone for my facebook friends using their profile picture on facebook. (I think Motoblur does this, for example.)
However, the way facebook implemented it was rather messed up. They didn't store the contacts with the regular contact data. So, if yo
Re: (Score:2)
That sounds about right. Facebook really don't want anyone to have any way to stay in touch with their friends that doesn't go through Facebook.
Re:Worst? (Score:5, Interesting)
You know when a corporation says "the accusations are inaccurate and misleading" that they are guilty as hell.
How hard is it to say, "No, we never, ever access private messages or contact information for any reason"?
It's like when a politician says, "To be perfectly honest..." Somebody needs to hit the crash cymbals whenever those words are spoken, to indicate ALERT! LIE COMING....
Re:Worst? (Score:4, Funny)
But then how would we hear the politicians over the constant crashing of cymbals? On the bright side, assassins would no longer need silencers.
Re: (Score:2)
How hard is it to say, "No, we never, ever access private messages or contact information for any reason"?
Really, really hard. Because as soon as any company does this, some back office dweeb from the company pipes up with "actually, thats not technically correct..." and now they're openly lying about it. PR and politicians alike never want to talk in absolutes because it can only ever come back and bite them...
Re: (Score:2)
Actually, I'd say it's that you're verging on libel and Slashdot is modding you +5 informative.
Why are people surprised? (Score:5, Insightful)
There are two ways to grow revenue with this model. 1) Sign up more users. 2) Invade deeper into the user data so the data sold to advertisers is more relevant and worth more.
Re: (Score:3)
People are surprised because they only expect the government to invade their privacy,
not publicly traded corporations exceeding their authorized access.
Re: (Score:3)
Re: (Score:1)
People are surprised because they only expect the government to invade their privacy
I tend to disagree. Most people I run across look at you funny when you present the idea that the government is invading their privacy. In fact, most will deny it outright and argue that "the people" would never let anything like that happen (even though, it's already happening, and worse!)
You have a nation of consumers, which means they all think in terms of "who can I go to when [whatever] doesn't work, is broken, is causing me inconvenience, etc. and when they find the company they're dealing with is
Re:Why are people surprised? (Score:4, Insightful)
Because there is the idea that what you enter into one app on your phone is not available to another app.
If I accept the "terms of use" for facebook, I do not also consent to having them go through my text messages.
When I turn off location services for facebook I do not expect them to still access my location.
Re:Why are people surprised? (Score:5, Funny)
But the T in Facebook Stands for Trustworthy.
Oh wait,,,.
Re: (Score:2)
Because there is the idea that what you enter into one app on your phone is not available to another app.
And that is in fact the default operating method for both major smartphone platforms. But there's value in being able to share certain kinds of data between apps. For example, if you want to write a better SMS client, that task is pretty much impossible if the user has to recreate their entire contact list and loses all their existing SMS history. That's why (on Android at least) the app has to request permission for that access. Unfortunately your only choices are to grant every permission the app requ
Re:Why are people surprised? (Score:5, Insightful)
Re: (Score:3)
Re: (Score:2)
Facebook is a free service. Facebook users and their data are the commodity being sold to advertisers. The business model isn't a secret.
It's not really free. It's just harder to quantify what value you've exchanged for the service. Facebook certainly turns data into money.
Smartphones (Score:4, Insightful)
is that allowed on mobile APIs? (Score:1)
I've never programmed for mobile phones before, so I'm ignorant, but are the phone's SMS messages even available in the APIs given to mobile developers to use for creating 3rd party apps? Even if it is available in the API, surely the phone OS would pop up a warning and force you to confirm approval.
I was skeptical when I read this story for that reason.
Re:is that allowed on mobile APIs? (Score:4, Interesting)
Android phones in the U.S. come with apps that cannot be deleted, depending on the service. Typically: Facebook, Twitter. You can choose to decline updates, but you cannot remove the app. Look at the comments on this app: https://market.android.com/details?id=com.virginmobileusa.vmlive&hl=en [android.com] Of them 90% are along the lines of this one: "This program is garbage I wish I could get this crap off my phone."
Re: (Score:3, Informative)
Android doesn't do this. Certain carriers push out custom versions of Android where a small handful of the shovel-ware apps can't be deleted. But Facebook and Twitter can be deleted on all the major carriers (Sprint, AT&T, T-Mobile, Verizon).
However, you can always root your phone if you really want to delete these shovel-ware apps.
Re: (Score:2, Informative)
Google's stock Android doesn't let you uninstall Facebook, Twitter, Amazon MP3 and even Google Books. I'm talking Ginger Bread on Nexus One - so it's not imposed by any carrier. It gets into some weird situations as well - since I'm in India and currently Google Books is not available for India, it won't let me install any updates, but it still shows me update notifications, and would not let me uninstall the app. It sucks, especially since app storage is really small and precious on these old phones.
Re: (Score:1)
Re: (Score:2)
Android doesn't do this. Certain carriers push out custom versions of Android where a small handful of the shovel-ware apps can't be deleted. But Facebook and Twitter can be deleted on all the major carriers (Sprint, AT&T, T-Mobile, Verizon).
Not true on AT&T. Just tried it on my SGS2, Facebook is still there.
Re: (Score:1)
Otherwise people shouldn't be surprised by this... (Score:1)
I kind of expect such behavior by big internet companies like Facebook, Google, Microsoft, Zynga, etc.
We've all read the line "If You're Not Paying for It; You're the Product" and it's true.
It's just a shame that these comapnies don't tell/warn/notice the users clearly before they sign up and while they are using their services about what's going on behind the people's backs.
There should be something along the lines of...
"Dear Sindy, the reason why that third-party company is sending you advertisment about hepres treatment products might be, because we found out about it during your messaging with Jenny and we thought that we should sell your information, which you would probably want to remain private, to the company paying us the most, which is specialised in treating herpes. It's a win-win situation for both of us. Best regards, your Facebook-Privacy-Team"
Well yeah. (Score:5, Interesting)
I stopped using and uninstalled the Facebook Android app when I saw that it was turning on my phone's GPS as soon as I opened it. Sorry, but there's no legitimate reason for the GPS to be on all the time in this app's context.
Oh well (Score:3)
Why aren't the apps properly sand-boxed? (Score:5, Insightful)
I think I should be able to go in and modify any app's permissions after the fact. The "accept permissions" button should only set those requested permissions as default, then I should have an app that can revoke them. Currently the app developer gets all the power because people don't know what the permissions tie to and how they actually get used/abused. Such an ability would make app authors think twice...
Re: (Score:2)
Cyanogenmod lets you do exactly that. I'm running it on my HTC Thunderbolt, and as soon as I read this, I went in, saw that the Facebook app does indeed request full SMS permissions (read, write, send, and receive), and turned them all off. The app hasn't complained so far. Still, it would be nice if it was an OS default option instead of requiring that you install a third-party ROM, which isn't possible on a lot of phones and will break other things on many of them.
Re: (Score:1)
Or just use PDroid [android.com], you can restrict permissions easily and apps WONT crash...
NHave you seen the permissions? (Score:3)
Have you seen the permissions the Facebook App has on the HTC Rezound? (And I'm sure on other phones.) Oh BTW you cant actually remove the FB App from this phone unless you root it.
This is exactly what it says on my phone...
Permissions: This application can access the following on your phone.
- Your personal information
Read contact data, write contact data
-Services that cost you money
Send SMS Messages
-Your messages
Edit SMS or MMS, read SMS or MMS, receive SMS
-Your location
fine(GPS) location
-Network communication
full Internet access
-Your accounts
act as an account authenticator, manage the accouns list
-Storage
modify/delete SD card contents
-Phone calls
read phone state and identity
-System Tools
prevent phone from sleeping, write sync settings
Re: (Score:2)
Hopefully the update to Android 4.0 is not delayed too much for that phone. With 4.0 you can disable entirely an application, even base applications and those added to the ROM by the manufacturer
One browser per evil mega-corporation (Score:2)
As long as the # of decent browsers surpasses the # of evil mega-corporation web services I want to use I guess I have some privacy. Fifteen years ago there were two browsers and both were broken, either by crashes or security. Now we're in a golden age of good browsers. The only way the evil megas can break browser separation would be by IP, which is fuzzy, or by Flash cookies, which I hope are not shared across browser. (Or by behavioral analysis, also fuzzy.)
Mozilla even has two browsers you can install
Re: (Score:1)
You can also run several Firefox profiles simultaneously if you start it with the -no-remote option.
The real problem (Score:3)
What should be happening instead is: make the permissions user selectable, to be able to install the facebook app, but to prevent it from accessing anything I don't want. The app store / market rules should mandate that applications cope with the degradation of priviledges gracefully. The OS/app should display a popup when the user tries to do something that requires priviledges the app doesn't have, along the lines of "do you want to grant permission x to this application? [just this once] / [yes] / [no] / [don't ask again]"
Re: (Score:1)
[...] the Policy must always obfuscate the data before storing it, using a key that is unique for the application and device. Obfuscating using a key that is both application-specific and device-specific is critical, because it prevents the obfuscated data from being shared among applications and devices.
However, in order to get a truly device-specific identifier requires extra permis
Murdoch's not so bad (Score:2, Interesting)
This Sunday Times article is just the latest in a string of Rupert Murdoch media outlets (mostly the Wall Street Journal) posting exaggerated and questionably-researched stories about "hacking scandals" at large internet companies like Facebook, Google, Microsoft, etc. The strategy seems to be to distract the public from real hacking scandals at News of the World and other Murdoch owned properties and make it appear that hacking is a normal activity for successful companies. What, you thought that scandal
Something Related (Score:1)
I have a simple solution. (Score:1)
Don't use facebook. I've never had facebook, or orkut, or twitter, or any of that crap.
I use the internet in just about the same way I used it when I was a kid, except now I use SSH instead of Telnet, and SCP instead of FTP. I use the web to retrieve information, as was its original purpose, and of course as a replacement for USENET. Why people find the need to use all of this new crappy services offered over the web? Why do they find the need to register to every new stupid service they find? Now most of t
Uninstalled! (Score:1)
Facebook denies ... (Score:3)
"Never believe anything until it has been officially denied" (the right hon. J. Hacker.)
How much I may hate Facebook... (Score:3)
I got rid of my smartphone (Score:1)
The problem is the smartphone. What you have is a little computer, holding lots of your data, that has wifi, 3G, 4G, LTE, LSD, and of course, 2G. It's a walking smorgasbord of personal data about you.
And what do you do with it? You download app after app, to make it so you can do stuff easier, while letting these "apps" have access to your data. Your personal data. Sure, the corporations, who makes their money off your personal data, are going to say they aren't "reading" your text messages, your
BlackBerry not affect? (Score:2)
I just checked the permissions of the Facebook app on my BlackBerry (9930 running 7.1) and it does not give the FB app access to any of my messages.
Not too shabby for a supposedly dead platform.
Facebook: gone! (Score:1)
Re: (Score:1)
Verification is simple (Score:2)
Just write a text message saying "I'll destroy the US" and wait for the DHS.
users get what they deserve seriously (Score:2)
Apple considers their users too stupid to know such important details like whether an app can access all your data. Android pops up a nice dialog - when I thought I'll try out the Facebook app, it said it can access my contacts, sms messages and pretty much everything. I said fuck no, and never installed the app. Also the reports from friends with iPhones that as soon as you install the facebook app the first thing it does is to upload all the phone numbers from your contact list to facebook. People who did
Re: (Score:2)
CyanogenMod adds this nice feature where you can selectively disable permissions. Facebook does not have access to my messages.
FB = failing big (Score:1)