Fleeing Facebook app users realise what they agreed to in apps years ago – total slurpage

Zuck takes out full-page ads to apologise as Tim Cook calls for 'well-crafted' privacy laws


It was the weekend that had it all: promiscuous permissions dragged Google into the Facebook privacy row, Facebook apologised again while at the same time denying anything's wrong with its Android apps, and Tim Cook was totally not smug when he chimed into the privacy debate.

It's long been understood by people in tech (less so, El Reg suspects, in the broader public) that Facebook analysed users' interactions in its Social Graph. Doing so is the core of the company's advertising strategy and the purpose of the algorithms that choose what's at the top of users' feeds.

However, when people started deleting their accounts on the weekend, the more sharp-eyed realised Facebook was slurping more than they expected.

New Zealand LLVM developer Dylan McKay got the ball rolling with the following Tweet:

What McKay and others realised to their horror was that Facebook Messenger on Android uploaded far more than expected. Specifically: metadata for phone calls and text messages, even though they were sent with Android's default phone and SMS apps, not Facebook's Messenger apps.

The same kinds of everything-including-the-kitchen-sink permissions apply to the Facebook and Instagram apps.

Android permissions - Facebook, Instagram

You were warned: Facebook and Instagram Android app permissions

As Johns Hopkins University cryptographer Matthew Green put it:

Facebook Wow Sad Angry

Facebook's inflection point: Now everyone knows this greedy mass surveillance operation for what it is

READ MORE

The data slurp included Facebook app users' interactions with others who are not on Facebook – meaning people who never gave the Social Network™ permission for anything are probably profiled in its data troves anyway.

This was already an issue for Web users, with the infamous Facebook cookie the subject of lawsuits in Belgium (Facebook won) and France (Facebook lost).

In January, long-time Facebook antagonist Max Schrems was told he couldn't run a privacy class action in Austria, but individuals could sue in that country. Schrems is conducting a separate and very costly legal battle with Facebook in Ireland.

However, few if any users realised message metadata they believed were private were being uploaded.

As futurist and El Reg columnist Mark Pesce put it:

Pesce also mused on the ethical considerations that accompanied the development of a capability that results in such an extensive data-slurp:

Facebook has responded with a statement saying “uploading call and text history” was always opt-in (unless, of course, you're not a Facebook user, in which case you had no say in the matter).

The post says the data was never offered for sale, and also draws on the “metadata is not data” defence: “When this feature is enabled, uploading your contacts also allows us to use information like when a call or text was made or received. This feature does not collect the content of your calls or text messages. Your information is securely stored and we do not sell this information to third parties. You are always in control of the information you share with Facebook” (emphasis added).

Facebook's other response to the escalating scandal was to take out full-page mea-culpa newspaper advertisements in the UK and USA.

Over Mark Zuckerberg's signature, the ad apologised for the 2014 quiz app at the bottom of the scandal, saying “we're now taking steps to make sure this doesn't happen again”. The rest of the ad text is at follows:

We've already stopped apps like this from getting so much information. Now we're limiting the data apps get when you sign in using Facebook.

We're also investigating every single app that had access to large amounts of data before we fixed this. We expect there are others. And when we find them, we will ban them and tell everyone affected.

Finally, we'll remind you which apps you've given access to your information – so you can shut off the ones you don't want anymore.

Thank you for believing in this community. I promise to do better for you.

Given that Apple has a far less permissive attitude to user privacy, Tim Cook was commendably not-smug when he chimed into the debate.

Speaking at the annual Chinese Development Forum in Beijing on Saturday, Bloomberg quoted Cook as calling for stronger, “well-crafted” privacy regulation.

“The ability of anyone to know what you’ve been browsing about for years, who your contacts are, who their contacts are, things you like and dislike and every intimate detail of your life - from my own point of view it shouldn’t exist”, Cook said.

“We’ve worried for a number of years that people in many countries were giving up data probably without knowing fully what they were doing,” he added. Apple's concern that data would be abused in the form of profiling, with an inevitable user backlash, was a prediction that “has come true more than once”. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021