Facebook admits: Apps were given users' permission to go into their inboxes

Only the inbox owner had to consent to it, though... not the people they conversed with

Facebook has admitted that some apps had access to users’ private messages, thanks to a policy that allowed devs to request mailbox permissions.

The revelation came as current Facebook users found out whether they or their friends had used the "This Is Your Digital Life" app that allowed academic Aleksandr Kogan to collect data on users and their friends.

Users whose friends had been suckered in by the quiz were told that as a result, their public profile, Page likes, birthday and current city were “likely shared” with the app.

So far, so expected. But, the notification went on:

A small number of people who logged into “This Is Your Digital Life” also shared their own News Feed, timeline, posts and messages which may have included post and messages from you. They may also have shared your hometown.

That’s because, back in 2014 when the app was in use, developers using Facebook’s Graph API to get data off the platform could ask for read_mailbox permission, allowing them access to a person’s inbox.

That was just one of a series of extended permissions granted to devs under v1.0 of the Graph API, which was first introduced in 2010.

Following pressure from privacy activists – but much to the disappointment of developers – Facebook shut that tap off for most permissions in April 2015, although the changelog shows that read_mailbox wasn’t deprecated until 6 October 2015.

Facebook confirmed to The Register that this access had been requested by the app and that a small number of people had granted it permission.

“In 2014, Facebook’s platform policy allowed developers to request mailbox permissions but only if the person explicitly gave consent for this to happen,” a spokesborg told us.

“According to our records only a very small number of people explicitly opted into sharing this information. The feature was turned off in 2015.”

Facebook tried to downplay the significance of the eyebrow-raising revelation, saying it was at a time when mailboxes were “more of an inbox”, and claimed it was mainly used for apps offering a combined messaging service.

“At the time when people provided access to their mailboxes – when Facebook messages were more of an inbox and less of a real-time messaging service – this enabled things like desktop apps that combined Facebook messages with messages from other services like SMS so that a person could access their messages all in one place,” the spokesperson said.

Presumably the aim is to imply users were well aware of the permissions they were granting, but it’s not clear how those requests would have been phrased for each app.

We asked Facebook what form this would have taken – for instance if users could have been faced with a list of pre-ticked boxes, one of which gave permission for inbox-surfing – but got no response.

Although Facebook has indicated Kogan’s app did request mailbox permissions, Cambridge Analytica – which licensed the user data from Kogan – denied it received any content of any private messages from his firm, GSR.

But this is about more than GSR, Cambridge and SCL Elections: for years, Facebook’s policy allowed all developers to request access to users’ inboxes.

That it was done with only one user's permission – the individuals "Friends" weren’t alerted to the fact messages they had every right to believe were private, were not – is yet more evidence of just how blasé Facebook has been about users’ privacy.

Meanwhile, the firm has yet to offer details of a full audit of all the apps that asked for similar amounts of information as Kogan's app did – although it has shut down some.

And it is only offering current users a simple way to find out if they were affected by the CA scandal; those who have since deactivated or deleted their accounts have yet to be notified. We've asked the firm how it plans to offer this information, but it has yet to respond.

Amid increased scrutiny, Facebook is trying to sell the idea that it’s sorry, that it has learned from its mistakes and that it is putting users first.

But it's going to be a tough sell: just last night, Mark Zuckerberg revealed that, when the firm first found out about GSR handing data over to Cambridge Analytica in 2015, it chose not to tell users because it felt that asking the firm to delete the data meant it was a “closed case”.

Zuck gets another chance to convince lawmakers and the public this afternoon. ®

Send us news

UK mulls making MSPs subject to mandatory security standards where they provide critical infrastructure

And to pay for the privilege. Consultation's open, though

Small and medium-sized managed service providers (MSPs) could find themselves subject to the Network and Information Systems Regulations under government plans to tighten cybersecurity laws – and have got three months to object to the tax hikes that will follow.

Plans to amend the EU-derived Network and Information Systems Regulations (NIS) are more likely than ever to see SMEs brought into scope, as The Register reported last year when these plans were first floated.

NIS is the main law controlling security practices in the UK today. Currently a straight copy of the EU NIS Directive, one of the benefits of Brexit leapt upon by the Department for Digital, Culture, Media and Sport (DCMS) is the new ability to amend NIS's reporting thresholds.

Continue reading

Can you compose memory across a HPC cluster? Yes. Yes you can

GigaIO CTO talks up 'solution that has a lot of what CXL offers'

GigaIO and MemVerge are developing a joint solution to enable memory to be composable across a cluster of servers, addressing one of the thorny issues in high performance computing (HPC) where some nodes may not have enough memory for the tasks in hand, while others may have spare capacity.

Continue reading

Working overtime? Those extra hours might not be hurting your wellbeing after all – just don't tell Jeff Bezos or Jack Ma

If you love your job, going the extra mile might not be stressful or cause depression

Working too hard? Is that overtime making you feel like you're caught in the vice-like jaws of burnout? Well, keep on carrying on because far from negatively impacting your well-being, it might actually be good for you if you love your job.

Or so says research from the ESCP Business School by Argyro Avgoustaki, an associate professor of Management and Almudena Cañibano, an associate professor in Human Resources Management.

The crucial distinction comes from the motivation behind why individuals put in those extra hours: whether it is due to an inner desire or external pressures from the higher ups.

Continue reading

Privacy is for paedophiles, UK government seems to be saying while spending £500k demonising online chat encryption

So far we've got a pisspoor video and... er, that's it

Opinion The British government's PR campaign to destroy popular support for end-to-end encryption on messaging platforms has kicked off, under the handle "No Place To Hide", and it's as broad as any previous attack on the safety-guaranteeing technology.

Reported by us well in advance last year, the £500k campaign aims to destroy public support for end-to-end encryption (E2EE) as part of a wider strategy.

That intends to make it easy for police workers and other public-sector snoopers to read the public's online conversations without having to get prior permission or defeat privacy protections.

Continue reading

'Now' would be the right time to patch Ubuntu container hosts and ditch 21.04 thanks to heap buffer overflow bug

Red Hat agrees

The CVE-2022-0185 vulnerability in Ubuntu is severe enough that Red Hat is also advising immediate patching.

The flaw allows a process inside a Linux user namespace to escape, which means it potentially affects any machine running containers.

If you're not running any containers, you can just disable the user-namespace functionality – both companies' vulnerability descriptions describe how to do that on their respective distros. It affects RHEL (and derivatives) as well as Ubuntu 20.04, 21.04 and 21.10 – and presumably other distros, too.

Continue reading

Fujitsu wants technology to shape a better future – its technology, of course

Quantum, HPC, and AI to take us to rainbow sunshine happy land

Fujitsu wants to make the world a better place and thinks technology is the way to do it. Fujitsu technology, naturally.

The Japanese multinational laid out its vision – outlining an automated, converged world, with AI to support decision making – for the next decade or so during its ActivateNow: Technology Summit online. Fujitsu also explained how it believes technology will help to address various global challenges, including climate change, biodiversity, inequality, and (in developed countries) an ageing population.

Kicking off the keynote address, CTO Vivek Mahajan said Fujitsu believes it has a responsibility as a tech company to address global issues, and saw technology as key to solving these challenges. "The potential for innovation to make a positive impact is enormous," he said.

Continue reading

First they came for Notepad. Now they're coming for Task Manager

Is nothing safe from the dead hand of the Windows 11 design aesthetic?

Windows' murderous Task Manager looks set to get a makeover in Windows 11 after a work-in-progress turned up in the latest Insider Dev Channel build.

Continue reading

The robots are coming! 12 million jobs lost to automation in Europe by 2040 – analyst

Ageing populations, competition, cost-cutting and COVID-19 driving increased adoption

Across Europe, 12 million jobs will be lost by 2040 through automation technologies, according to analyst firm Forrester Research.

With the pandemic increasing the adoption of digital technologies in business, the region is forecast to embrace automation to address its demographic challenges, the analyst said in a new report. By 2050, the five leading economies in Europe – France, Germany, Italy, Spain, and the UK – are expected to have 30 million fewer people of working age.

The report also mentioned that investments in automation will become key to how European governments look at their competitiveness.

Continue reading

NortonLifeLock and Avast tie-up falls under UK competition regulator's spotlight

CMA invites comments from 'interested parties' on what merger means to them

The UK's Competition and Markets Authority has invited comments from industry and interested parties about NortonLifeLock's proposed $8bn purchase of fellow infosec outfit Avast.

The merger inquiry will run until the 16 March when the comments will be collated and assessed to determine if there is sufficient concern to warrant a deeper investigation.

"The CMA is considering whether it is or may be the case that this transaction, if carried into effect, will result in the creation of a relevant merger situation under the merger provisions of the Enterprise Act 2002," it said.

Continue reading

Lots of new toys, caps lock still stuck on: ONLYOFFICE hits version 7

LibreOffice alternative unfurls latest productivity software update

Another contender in the productivity stakes, ONLYOFFICE Docs, has hit version 7, introducing fillable forms as well as multiple tweaks for its web and desktop applications.

ONLYOFFICE is yet another option for users seeking an alternative to the tech giants, and currently comes in a self-hosted or desktop guise. A cloud version will, according to the team, "be available a bit later."

The first major release of 2022, version 7 is a handy update. While the word processor, spreadsheet, and presentation modules have useful modifications, most eye-catching is the ability to create fillable forms online.

Continue reading

Web daddy Tim Berners-Lee on privacy, data sharing, and the web's future

'Ensure that code you write works with these open standards'

Sir Tim Berners-Lee said today he believes many current global challenges can be solved if people can be convinced to share data – but on their own terms.

Continue reading