Facebook app permissions skirted rules to gather call logs

Facebook app permissions skirted rules to gather call logs

The troubles for Facebook continued this week with a trove of internal emails as part of an investigation in the U.K. Parliament revealing questionabl

ThreatList: Attacks on Industrial Control Systems on the Rise
Researchers Find BlackEnergy APT Links in ExPetr Code
Bug In Google's Bug Tracker Let Researcher See Internal Google Bugs

The troubles for Facebook continued this week with a trove of internal emails as part of an investigation in the U.K. Parliament revealing questionable data practices, including Facebook’s Android app permissions being designed to gather data without users knowing.   

Despite a U.S. federal judge ruling that the emails should be sealed, Damian Collins, chairman of the U.K. Parliament’s Digital, Culture, Media and Sport select committee, ordered the collection of 200 pages of internal Facebook emails be released. He said on Twitter, this was done because the committee didn’t feel it “had straight answers from Facebook” on important issues.

The emails described various practices by Facebook, including entering whitelisting agreements to allow certain companies to continue to maintain “full access to friends data,” linking access to friends data to the financial value of Facebook for developers and data reciprocity policies between Facebook and developers.

One of the more troubling revelations in the emails regarded Facebook app permissions on Android. The emails show that in November 2013, Facebook privacy and legal teams were working “to understand privacy risks associated with several Android permissions that will go out in the next release, including permissions associated with reading call logs and SMS.”

Another email thread from February 2015 described a plan for the Facebook app permissions on Android to trigger a dialog and require users to accept call log uploads, but Facebook found a loophole that would allow the app to be updated “without subjecting them to an Android permissions dialog at all.”

According to a summary of the emails by Collins, “Facebook knew that the changes to its policies on the Android mobile phone system, which enabled the Facebook app to collect a record of calls and texts sent by the user would be controversial. To mitigate any bad PR, Facebook planned to make it as hard of possible for users to know that this was one of the underlying features of the upgrade of their app.”

Google did not respond to specific questions but pointed out that runtime permissions — allowing users to “see, grant and revoke permissions” before for apps at a granular level — was introduced in Android 6.0 Marshmallow, which would have made Facebook app permissions would be more transparent. However, Android platform history showed that despite Marshmallow being released in October 2015, Android 6.0 and higher wouldn’t be installed on more than 50% of devices in the wild until mid-2017.

Additionally, in October 2018, Google locked down access to call logs and SMS data; the only apps that can access that data beingthe default Android phone and messaging apps.

Facebook responded by saying in a blog post that the documents were “cherrypicked” and that the release “tells only one side of the story and omits important context.” The blog post also gave a more specific explanation for the Facebook app permissions issue.

“The feature is opt in for users and we ask for people’s permission before enabling. We always consider the best way to ask for a person’s permission, whether that’s through a permission dialog set by a mobile operating system like Android or iOS, or a permission we design in the Facebook app. With this feature, we asked for permission inside the Facebook Messenger app, and this was a discussion about how our decision to launch this opt-in feature would interact with the Android operating system’s own permission screens. This was not a discussion about avoiding asking people for permission.”

Expert response

Andrew van der Stock, senior principal consultant at Synopsys, said Facebook app permissions on Android “does not adhere to the principle of least surprise.”

“Facebook users would not have known or consented to surreptitious and invisible data collection. Not only does this violate privacy laws in many locations, including Australia and European Union, it erodes trust with their users,” van der Stock said. “If Facebook were aiming for growth, this will likely have the opposite effect as the stampede by users leaving the platform accelerates in light of these and other revelations.”

Paul Bischoff, privacy advocate with Comparitech.com, said “it’s difficult not to use the word ‘deceptive’ to describe Facebook’s tactic here. It would have been trivial to ask users to accept a new permission, but Facebook clearly thought it had something to hide.”

Van der Stock added that the Facebook app permissions are another step in a troubled history.

“Facebook’s history of privacy is one of continued unnecessary collection, such as when they changed your contact card on your phone to use a Facebook email address as the default email address. That is not okay,” van der Stock said. “People willingly upload a great deal of information, so they can stay in touch with their families and friends, but many don’t realize just how much metadata and actual data they are sharing. I am a Facebook user, and I do know the risks, but I would imagine most don’t. I would love for Facebook to improve their transparency in this matter.”

Bischoff gave Facebook some credit for giving users “pretty granular control over what other users and the public can see on their profiles” but said this was in contrast to the little information and control about what Facebook and its affiliates can access.

“By its very nature, Facebook runs contrary to the principles of privacy, and it has a long record proving as much. Relatively few people took it seriously until politics got involved. But the more than one billion people who use Facebook should be held accountable as well,” Bischoff said. “None of us should expect to get something for free; we pay to use Facebook with our personal data. While I don’t agree with many of Facebook’s decisions, the entitlement of its users is what really astounds me.”

Go to Source

COMMENTS