This article is more than 1 year old

Fleeing Facebook app users realise what they agreed to in apps years ago – total slurpage

Zuck takes out full-page ads to apologise as Tim Cook calls for 'well-crafted' privacy laws

It was the weekend that had it all: promiscuous permissions dragged Google into the Facebook privacy row, Facebook apologised again while at the same time denying anything's wrong with its Android apps, and Tim Cook was totally not smug when he chimed into the privacy debate.

It's long been understood by people in tech (less so, El Reg suspects, in the broader public) that Facebook analysed users' interactions in its Social Graph. Doing so is the core of the company's advertising strategy and the purpose of the algorithms that choose what's at the top of users' feeds.

However, when people started deleting their accounts on the weekend, the more sharp-eyed realised Facebook was slurping more than they expected.

New Zealand LLVM developer Dylan McKay got the ball rolling with the following Tweet:

What McKay and others realised to their horror was that Facebook Messenger on Android uploaded far more than expected. Specifically: metadata for phone calls and text messages, even though they were sent with Android's default phone and SMS apps, not Facebook's Messenger apps.

The same kinds of everything-including-the-kitchen-sink permissions apply to the Facebook and Instagram apps.

Android permissions - Facebook, Instagram

You were warned: Facebook and Instagram Android app permissions

As Johns Hopkins University cryptographer Matthew Green put it:

Facebook Wow Sad Angry

Facebook's inflection point: Now everyone knows this greedy mass surveillance operation for what it is


The data slurp included Facebook app users' interactions with others who are not on Facebook – meaning people who never gave the Social Network™ permission for anything are probably profiled in its data troves anyway.

This was already an issue for Web users, with the infamous Facebook cookie the subject of lawsuits in Belgium (Facebook won) and France (Facebook lost).

In January, long-time Facebook antagonist Max Schrems was told he couldn't run a privacy class action in Austria, but individuals could sue in that country. Schrems is conducting a separate and very costly legal battle with Facebook in Ireland.

However, few if any users realised message metadata they believed were private were being uploaded.

As futurist and El Reg columnist Mark Pesce put it:

Pesce also mused on the ethical considerations that accompanied the development of a capability that results in such an extensive data-slurp:

Facebook has responded with a statement saying “uploading call and text history” was always opt-in (unless, of course, you're not a Facebook user, in which case you had no say in the matter).

The post says the data was never offered for sale, and also draws on the “metadata is not data” defence: “When this feature is enabled, uploading your contacts also allows us to use information like when a call or text was made or received. This feature does not collect the content of your calls or text messages. Your information is securely stored and we do not sell this information to third parties. You are always in control of the information you share with Facebook” (emphasis added).

Facebook's other response to the escalating scandal was to take out full-page mea-culpa newspaper advertisements in the UK and USA.

Over Mark Zuckerberg's signature, the ad apologised for the 2014 quiz app at the bottom of the scandal, saying “we're now taking steps to make sure this doesn't happen again”. The rest of the ad text is at follows:

We've already stopped apps like this from getting so much information. Now we're limiting the data apps get when you sign in using Facebook.

We're also investigating every single app that had access to large amounts of data before we fixed this. We expect there are others. And when we find them, we will ban them and tell everyone affected.

Finally, we'll remind you which apps you've given access to your information – so you can shut off the ones you don't want anymore.

Thank you for believing in this community. I promise to do better for you.

Given that Apple has a far less permissive attitude to user privacy, Tim Cook was commendably not-smug when he chimed into the debate.

Speaking at the annual Chinese Development Forum in Beijing on Saturday, Bloomberg quoted Cook as calling for stronger, “well-crafted” privacy regulation.

“The ability of anyone to know what you’ve been browsing about for years, who your contacts are, who their contacts are, things you like and dislike and every intimate detail of your life - from my own point of view it shouldn’t exist”, Cook said.

“We’ve worried for a number of years that people in many countries were giving up data probably without knowing fully what they were doing,” he added. Apple's concern that data would be abused in the form of profiling, with an inevitable user backlash, was a prediction that “has come true more than once”. ®

More about


Send us news

Other stories you might like