It was the weekend that had it all: promiscuous permissions dragged Google into the Facebook privacy row, Facebook apologised again while at the same time denying anything's wrong with its Android apps, and Tim Cook was totally not smug when he chimed into the privacy debate.
It's long been understood by people in tech (less so, El Reg suspects, in the broader public) that Facebook analysed users' interactions in its Social Graph. Doing so is the core of the company's advertising strategy and the purpose of the algorithms that choose what's at the top of users' feeds.
However, when people started deleting their accounts on the weekend, the more sharp-eyed realised Facebook was slurping more than they expected.
New Zealand LLVM developer Dylan McKay got the ball rolling with the following Tweet:
Downloaded my facebook data as a ZIP file— Dylan McKay (@dylanmckaynz) March 21, 2018
Somehow it has my entire call history with my partner's mum pic.twitter.com/CIRUguf4vD
What McKay and others realised to their horror was that Facebook Messenger on Android uploaded far more than expected. Specifically: metadata for phone calls and text messages, even though they were sent with Android's default phone and SMS apps, not Facebook's Messenger apps.
The same kinds of everything-including-the-kitchen-sink permissions apply to the Facebook and Instagram apps.
You were warned: Facebook and Instagram Android app permissions
As Johns Hopkins University cryptographer Matthew Green put it:
An underreported detail from these “I got my Facebook data” stories: combining Facebook with the (non)-privacy-protections of Android is like setting wild dogs loose on a buffet.— Matthew Green (@matthew_d_green) March 24, 2018
Facebook's inflection point: Now everyone knows this greedy mass surveillance operation for what it isREAD MORE
The data slurp included Facebook app users' interactions with others who are not on Facebook – meaning people who never gave the Social Network™ permission for anything are probably profiled in its data troves anyway.
In January, long-time Facebook antagonist Max Schrems was told he couldn't run a privacy class action in Austria, but individuals could sue in that country. Schrems is conducting a separate and very costly legal battle with Facebook in Ireland.
However, few if any users realised message metadata they believed were private were being uploaded.
As futurist and El Reg columnist Mark Pesce put it:
Facebook has metadata (and possibly message content, idk) for every text message sent to me by every Android user of its app until October 2017. And every one I sent them.— Mark Pesce (@mpesce) March 25, 2018
I didn't ask to have my private conversations recorded.
So your choices have consequences - for me.
Pesce also mused on the ethical considerations that accompanied the development of a capability that results in such an extensive data-slurp:
"Hi, in our meeting today we're going to develop a schedule toward a new product feature - reading and uploading all of our users' text messages."— Mark Pesce (@mpesce) March 25, 2018
Imagine being an engineer in that room. And wondering how your karma landed you there.
Facebook has responded with a statement saying “uploading call and text history” was always opt-in (unless, of course, you're not a Facebook user, in which case you had no say in the matter).
The post says the data was never offered for sale, and also draws on the “metadata is not data” defence: “When this feature is enabled, uploading your contacts also allows us to use information like when a call or text was made or received. This feature does not collect the content of your calls or text messages. Your information is securely stored and we do not sell this information to third parties. You are always in control of the information you share with Facebook” (emphasis added).
Facebook's other response to the escalating scandal was to take out full-page mea-culpa newspaper advertisements in the UK and USA.
Over Mark Zuckerberg's signature, the ad apologised for the 2014 quiz app at the bottom of the scandal, saying “we're now taking steps to make sure this doesn't happen again”. The rest of the ad text is at follows:
We've already stopped apps like this from getting so much information. Now we're limiting the data apps get when you sign in using Facebook.
We're also investigating every single app that had access to large amounts of data before we fixed this. We expect there are others. And when we find them, we will ban them and tell everyone affected.
Finally, we'll remind you which apps you've given access to your information – so you can shut off the ones you don't want anymore.
Thank you for believing in this community. I promise to do better for you.
Given that Apple has a far less permissive attitude to user privacy, Tim Cook was commendably not-smug when he chimed into the debate.
Speaking at the annual Chinese Development Forum in Beijing on Saturday, Bloomberg quoted Cook as calling for stronger, “well-crafted” privacy regulation.
“The ability of anyone to know what you’ve been browsing about for years, who your contacts are, who their contacts are, things you like and dislike and every intimate detail of your life - from my own point of view it shouldn’t exist”, Cook said.
“We’ve worried for a number of years that people in many countries were giving up data probably without knowing fully what they were doing,” he added. Apple's concern that data would be abused in the form of profiling, with an inevitable user backlash, was a prediction that “has come true more than once”. ®