A little while back, I wrote about my concerns with the Facebook Messenger app, and the Permissions it needed demanded to function. It was these Permissions that saw me uninstall Messenger and ultimately close down my Facebook profile.

I’ve since activated a very stripped down Facebook profile, where I share a lot less than before and have it locked down to a very small number of family and friends – a very different experience from my “pretty much share everything” use on the deleted account.

Since I commute a lot, I installed the full Facebook for Android app. Usually, I have my apps to manually update, but because I had been testing the beta version of the new Android app before switching back to the “official” one, I’d neglected to change my app update settings.

This let Facebook download the latest update yesterday. And, originally, I was impressed – the new UI was slick and the experience far superior. So impressed, I shared a couple of screen grabs of the new interface.

Facebook for Android profile Facebook for Android newsfeed

As you can see, it’s a clean, easy-to-navigate experience. Finally, Android users had the app they deserved, right? Not quite.

The Devil Gives Better Choices than Facebook

You’ve probably heard the term “making a pact with the Devil”. Essentially, it allows you to have anything you want, in exchange for your soul being the property of the Devil when you die.

Facebook’s new Permissions kinda reminded me of this, given that they’re forcing you to give up any semblance of privacy you may have thought you still had left.

When I shared the pictures on Google+, Al Spaulding made me immediately regret the fact I was on auto-update. From his comment on the post:

It looks great. However I refuse to download it and am still using the older version from 2 mth ago. Why? Because the new one says pretty clearly that they can access your phone for anything. They can read your texts – take them off your phone and upload them to their server, place phone calls on your behalf, and even disclose your location without you wanting them to.

While I’m used to Facebook’s Draconian privacy settings, the part about accessing my SMS and MMS messages caught my attention. I don’t recall this being as explicit before (although it may have been), so I uninstalled the app and set about re-installing to check the Permissions out fully.

The results were a mix of scary and extreme.

Facebook SMS

Facebook contactsFacebook calendar Facebook call numbersThe Calendar I’d seen on previous Permissions, and the Calls (while annoying) I’m pretty sure had been there too. But check out the exact wording of the SMS/MMS Permission, and that of the Contacts one.

Doesn’t that alarm you as a user? Read that wording again, especially this statement:

This allows the app to read all SMS messages, regardless of content or confidentiality.

Wow. Just… wow. Not even my wife gets access to my SMS messages (and no, Jacki, I have nothing to hide!). What honest and useful reason can Facebook have to get access to my texts? Seemingly they’re running with the “It will help us target better” message.

I call bullshit.

Target Publicly and Respect Privacy

I’m a marketer. I get that data helps us target campaigns better, and (in an ideal world) meet the needs of our customers and audience by that very targeting. Yet as I say time and time again, this has to be opt-in, and publicly available data.

The moment you track data beyond public access, you’re moving into both immoral and – you’d like to believe – questionably legal areas.

Facebook requiring access to my SMS messages, as well as the friends I speak with privately on the phone, sets off major alarm bells, and this from someone that benefits from the amount of data publicly available.

I’m not naive enough to think anything we put on the web is private. And, since the NSA-Snowden affair, I’m even less naive to think that we don’t face the prospect of being snooped on by our respective security forces.

But it could be argued it’s in the interests of public safety for this level of monitoring (though some of the arguments are very tenuous). Facebook doesn’t protect us, nor does it seem to have our interests at heart. All it wants are numbers, pure and simple, and the data that comes with these numbers to sell to the highest bidder.

These Permissions for their Android app merely confirm that, and is why my use of Facebook will now be restricted to the web version.

Your privacy, and how you place it in the Facebook ecosystem, is something Facebook is counting on you to ignore. The choice is yours.

Sign up for free weekly content

Subscribe to my newsletter and get a weekly email with the latest blog post, recommended reading, quick tips and more. I respect your privacy and will never spam you.

Alternatively, click here to subscribe to the RSS feed instead.

Danny Brown
Co-author Influence Marketing: How to Create, Manage and Measure Brand Influencers in Social Media Marketing. #1 marketing blog in world as per HubSpot. Husband. Father. Optimist. Pragmatist. Never says no to a good single malt. You can find me on Twitter - Google+ - LinkedIn.
306 comments
DaveWilson2
DaveWilson2

Danny, being that you're a writer and likely have more time to analyze things and then write a cohesive article n the subject, would it be possible for you to write a NEW article that outlines just why these permissions MIGHT ACTUALLY be needed as opposed to your paranoid view of why Facebook should care at all about you as a person?  Maybe there are actual, legitimate reasons for these permissions.  Maybe Facebook ISN'T the Devil but rather is just limited in how they can possibly word things to make lawyers happy as well as the paranoids of the world.  Maybe it's Google's fault that Facebook needs to go through these hoops in order to function on Android.  
This comment is about all the time I want to waste on this.  I am not important enough for Facebook to care about.  I also don't take part in illegal activities so they're free to know whatever they want about me.  They will be quite bored in 20 minutes and move on.

Rudegirl
Rudegirl

I had switched phones from my iPhone(s) to an Android because I wanted the larger screen.  I unfortunately have had problems with my Certified "Like" New phones and just got the latest.  

Whenever I get a new phone- all the apps are deleted so when I went to get the Facebook app- I was a bit confused which then turned into WHO THE FUCK DO THEY THINK THEY ARE to basically be me.  Yes, they basically take over your phone which with Smart Phones, it's a little computer.  

Studies show that low income people tend to use their phones more often as that is their computer.  So when I read what their "Permissions" are, I took screenshots and put them on my Facebook account to let my friends know what ludicrous bullshit they are asking for.  

Basically in my eyes- they are asking permission to be a hacker.  After all- there is no reason at all why they should need these permissions:

  • SMS- read your text messages (SMS or MMS) 
  • Phone- write call log.  Directly call phone #'s, read call log 
  • Photos/Media/Files  Read the contents of your USB storage.  Modify or delete the contents of your USB storage 
  • Camera/Microphone- take pictures and videos.  Record Audio 
  • Wi Fi connection information- view Wi Fi connectionsDevice ID & call information 
  • Device & app history - retrieve running apps 
  • Identity- find accounts on this device.  Add or remove accounts.  Read you own contact card
  • Contacts/Calendar- Read your contacts.  Modify your contacts.  Read calendar events plus confidential information  
  • add or modify calendar events plus confidential information 
  • Add or modify calendar events and send email to guests without owner's knowledge 
  • Location- precise location (GPS and network-based).    
  • Other- create accounts and set passwords.  Run at Startup.  View network connections.  Prevent phone from sleeping.  Install shortcuts.  Change your audio settings.  Read Google service configuration.  Toggle sync on and off.  Expand/Collapse status bar. Draw over other apps.  Com.sec.android provider badge permissions READ.  Full network access.  Change network connectivity.  Set wallpaper.  Send sticky broadcast.  .com,sec, android provider badge permission, WRITE, read battery statistics,  reorder running apps,  connect and disconnect from Wi-Fi, read sync settings, control vibration

I had written my thoughts on all of these bullet points but they were a bit pissy, irate  and childish so I deleted them.  This is going way overboard.  Calendars, sending invites without letting ME know?  Every single one of these "Permissions" is absolutely ludicrous.  

My friend who is an attorney told me that it's illegal for a person to tag you in a photo without your permission.  So why give all of my liberties for a bloody FB app.  No wonder why there are so many people actually deleting their entire accounts.  It's sheer bullshit.  

As for Google. I have my issues with them as well.  Used to love them!  After they've bought Youtube and changed settings monopolies have never been my thing.  Are we in China but are "asked for permissions?"

ScottAyres
ScottAyres

Maybe I'm the only one that could care less about privacy as I don't see a big deal here. Seems like pretty standard permissions if I want a messaging app to be able to message people on my contact list...

StuartHarland
StuartHarland

Whilst I can understand why you have some concerns - the idea that they can access all of your data without oversight is slightly concerning - the premise is more about their idea of integration than accessing everything you ever do. For example FB messenger can send and receive SMS in place of your normal phone's capability.  Someone decided that that was a desirable function hence them needing access some of the stuff they request.

The trouble you get with that is that android market place doesn't give you the option to limit certain privileges. Ergo they either ask for all of what they need to do certain things, or they ask for none of them and have to leave out the above functionality entirely. Unfortunately when you install the app, there is no way to say "oh I don't want that bit" and disallow the privileges required to make that bit work. This is a flaw with android, not Facebook. Android would say "we can't do that" because it would make application install process far more complicated and they have to cater for the Luddites out there.

DenzilDoyle
DenzilDoyle

I am totally confused how much social apps do you have on your phone? Zero? Most social apps have some of the same privacy messages you showed in the screenshots above. These messages are not specific to Facebook, Google can also reads read your message and contact and call logs.

JamieCrager
JamieCrager

Hi Danny, here is an update, don't know if you saw this-

Facebook Is Going To Make You Download A Separate App If You Want To Send Messages

I think they are going to get around it by removing messenger from the main Facebook app, that way they can have 2 privacy policies, one for those that value it (to a certain extent) on the main app and those that don't care (separate messenger app). Facebook doesn't say this in the post as they give a spin type answer that most tech savvy people won't buy. The ironic thing is that some people are not happy about this, thus this Mashable post. 

11 Reasons Why Pulling Messenger From Facebook Mobile Is a Terrible Idea 

Anyways, onward my friend. 

Jamie 

Chris
Chris

Facebook's access to this information is, like all apps, opt-in. You Opt-in when you choose to use the service. Don't like it? Uninstall! Everyone should quit whining about all of the "invasion of privacy" garbage and read the TOS and requested permissions. They are very clear in the permissions about what you are allowing them to do. Nothing is hidden. If it bothers you, then don't use the service. If you feel they are asking for to much data, too bad. If you choose to use Facebook, the you choose to give them your life story. It's not Facebook's fault you were too big of an idiot to read what you were getting yourself into.

AlexGarcia5
AlexGarcia5

So my phone has my work email on it.  My ITAR, go to federal prison if you show it to a foreign national, email on it.  Guess I don't have Facebook on my phone anymore.   Lawyers probably have to remove it to protect clients.  Journalists to protect sources.  SERIOUS OVERREACH in the APP TOS.

rajatkhanduja
rajatkhanduja

Before I begin, I'd point out that I am not defending Facebook at all.

So, I have been worried about all these apps asking for weird permissions and I was glad that CM11 allowed me use Privacy Guard to restrict the permission these apps had. Moreover, I could check how many times these permissions were requested and how often were they granted/denied (depending on whether or not I had let the app access it).

The Privacy Guard tells me that the Facebook app hasn't tried to Read SMS DB or modify call logs ever! So, what does it need those permissions for? Here are few things where the app might 'legitimately' need those permissions :-

1. Facebook (the app and messenger) seem to offer some way of calling another user directly through the app. I have never used that feature, but I guess using that would require the app to have 'call' permission. Moreover, to make it convenient, probably adding it to call log would also make things easy. So, that's where it would need the 'modify logs' permission.

2. Calendar related permissions could help provide easy integration with the Facebook calendar

3. Contact (reading and modifying) is relevant for syncing contacts. 

4. Not sure why Facebook app needs SMS permissions, but the Messenger app also offers the feature of handling your SMSes, for which you'd need those permissions. 

I think, as you do, that most of these things should be opt-in and not enforced. I have found my solution by using Privacy Guard, letting them access only things I want them to access, letting go of features that I don't think add much value. I wish most apps would respect that choice and freedom.

Karusan
Karusan

Should also note that when you delete your profile, it is not actually deleted as an Irish group of law students found out.  Facebook just deactivates the account from public viewing but they still have all the data stored for their "improvement" purposes.

Sabinchen
Sabinchen

Do you know whether this also applies to iPhone users? If so, I will also be deleting the app...

JohnHaydon
JohnHaydon

Danny -  Solid post.

They're banking on the high likelihood that users DON'T read app terms. 

optom27
optom27

@maguay I love the detailed permission pane in google play, don't see the reason why should you skip it before installing app

xdmag
xdmag

@omervk It's not hutzpa, it's greed. Remember: In Facebook, YOU are the product being sold.

mmahdi
mmahdi

Disable the permissions that you dont want to give.

Sunnywilliam
Sunnywilliam

There is nothing that could be as scary as when an online application does not protect the privacy. If this is what we get with Facebook on android, then its not a good sign at all. For all the benefits of using Facebook, I would still buy into the idea of sticking with the web version is the mobile version breaches my privacy. 

AndreaSchiavini
AndreaSchiavini

They are not stealing your privacy or anyone else's. They are asking you to give them information about yourself and you are agreeing. It's strange that you hadn't to confirm a change in the permission set of the app, on my Android handset everytime the permissions change I get a confirmation request even if I'm on auto update.

Danny Brown
Danny Brown moderator

@docfox The problem is, other services with the "same" set-ups don't require the Read and Write part (compare to Twitter, for example). Also, the majority of "average Joe" users won't know about apps that deal with Permissions, etc. Nor should they be expected to, if developers and vendors played straight from the start.

Danny Brown
Danny Brown moderator

@ScottAyres  If the piece was about the Messenger app, I'd agree (and there'd also be no article, given I've written previously about the Messenger app, as linked to in the post). But it's about the main Facebook app - and, given Facebook's recent announcement they're removing messaging from the main app to force you to use Messenger, there's even less need for some of the Permissions highlighted in the piece.

Danny Brown
Danny Brown moderator

@StuartHarland  To a degree, yes, I agree, Stuart - the Android marketplace is certainly less controlled than the Apple's equivalent. Yet speaking to devs who work in both, their overarching agreement is that Facebook is duplicitous in the Permissions their app asks for. Their explanation boils down to the need to read for security with regards two-step log-in; yet this feature is markedly missing from Twitter, for example, who only read the Receive Texts option.

Given the news that Facebook are removing chat from the main app and forcing people to download Messenger, Facebook's reasoning it's needed for that function has lost its validity.

Danny Brown
Danny Brown moderator

@JamieCrager  "Making it less of a friction experience"? They actually expect people to buy that twaddle? Less friction would be the ability to interact as seamlessly as possible regardless of channel - app, mobile Facebook, or desktop. Having to switch between apps to experience the same platform? Yeah, that's really frictionless...

StuartHarland
StuartHarland

@Chris  The problem with that argument is that it is so pervasive that in some fields you are essentially cutting off your nose to spite your face.

If you walked into Walmart you wouldn't expect to have to give over your communication details in order to buy a pint of milk. Any person would turn round and say that that is excessive and an invasion of privacy. However because it's an app on android, the rules suddenly change. All of a sudden you're put in a position of having to make the choice of convenience over potential safety issues associated with giving away too many rights.

This issue isn't just related to FB. There are plenty of apps out there that request access to ridiculous things that they have no business needing. Yes you can choose to leave them out, but if you walk down that route too far you might as well become a hermit in a hole for all the good it will do you.

The solution is better guidance and enforcement. Why does FB need this? If they can really justify it, then sure. Otherwise they should be influenced to stop it - or at least give you more control over your data.

Beyond that, how many teenagers do you know who would say "no" to these terms in today's culture and what that would mean in their social standing. There is such a thing as coercion, and their current track is very close to that.

Danny Brown
Danny Brown moderator

@Chris  As you can see from the post, Chris, I did uninstall. The article was written to highlight the new Permissions to users that may not be aware of it. Speaking of ToS, do you read every single word of every single ToS for services, apps, installs, CMS's, etc, that you use? Since, if you do, you'd be about the only person on the planet that does. 

Thanks for the tips.

Danny Brown
Danny Brown moderator

@rajatkhanduja  There's a difference between call access and read access. Twitter doesn't need read access, they simply use receive texts as the datapoint; so it seems Facebook is making users adhere to non-essential Permissions. And given the news that's they're removing the chat feature from the app to force you to use Messenger, it seems a deliberate move to access more data.

snookasnoo
snookasnoo

@Sabinchen  No because Apple does not allow this.

maguay
maguay

@optom27 So I've heard since tweeting that. Could you send me a screenshot of it?

StuartHarland
StuartHarland

@Danny Brown  I guess it comes down to the difference between "need" and "want". They are justifying it from the point of view of simplicity - supposedly it's far easier for them to write some code that reads texts from them to confirm you are logging in from your phone than using some interaction between the phone, the user and the app. However when you use two stage authentication with say a laptop - or any other device other than the phone you have registered with facebook for that matter - you have to do precisely this. Ergo ultimately this argument about two stage authentication is somewhat mute and involves extra overhead without any real justification. 

As a result I would agree with you that their excuses are duplicitous, although that shouldn't necessarily be translated as "FB want to read every SMS and record every phone call for ulterior motives". 

Ultimately it's really about marketing. Facebook for android is basically trying to tie you into their platform for everything you do on the phone. There is a reason they want you to send SMS via their app, or initiate your phone calls through FB as opposed to via the phone's inbuilt contact list. That reason is marketing. If you come out of FB to use your phone as a phone, you're not exposed to their ads. Thus they make less money. 

Personally I do not want those features - which is why I have them disabled in the app. However unfortunately there are people out there who do. As a result there is no middle way in Android to say "oh he doesn't like that so we can disable it". There should be and it's mostly Google's fault for designing it that way. 

In terms of the moral bit, I'd imagine the UK data commissioner and most likely the EU Commission would be interested in what is and isn't acceptable here - They have mandated tracking should be optional for the web. Perhaps they should do something similar for phone apps. After all the current design paradigms for android are "either accept it and use the app" or "deny it and lose out".

JamieCrager
JamieCrager

@Danny Brown @JamieCragerYes he did. It is poorly substantiated and some of his points are redundant. It is obvious he wrote the post in 5 min. just to get it live and be the first to write a post on it. With that said, between us, I'm sure we could come up with much better reasons like "adding friction, instead of less" to the argument, however if it is true that it will allow a kinder privacy policy on the main app, people may like it. I'm sure you can make great cases either way.  

optom27
optom27

@maguay it’s already shown in tutorial itself, only notable thing is when app requires new permission, then i will send you a screenshot

DonchoPapazov
DonchoPapazov

@Danny Brown @mmahdi  bro if you are running Android 4.3 just install App Ops from the market. In other case just root, flash some bad ass rom (don't forger to flash recovery) and you are good to go :D

optom27
optom27

@maguay i keep a host file and update it with scripts to block intrusive ads, today i am adding dnscrypt to it, let’s see if it works

optom27
optom27

@maguay i don’t use facebook, but once you root the android phone you can control permission and background services of any app and system

Trackbacks

  1. […] So I continued using the old app until it expired, and Facebook automatically switched to the new one.  When I realized this, I deleted it off my phone.  I share a lot of info on the internet, and as a general rule, I’m not paranoid.  But I’m not voluntarily giving permission to Facebook to control/monitor my life.  Here’s an article on the same subject: Facebook for Android and Why Zuckerberg Now Owns Your A$$. […]