
Facebook denies it collects call and SMS data from phones without permission - wil_wheat_on
https://techcrunch.com/2018/03/25/facebook-denies-it-collects-call-and-sms-data-from-phones-without-permission/
======
ponderatul
I think we are talking differently about this permission concept. Legally yes,
they had permission. But the fact that they used those dark ux patterns to
request that permission should not be forgotten.

Even though legally they are in the right, we as users should make this fact
irrelevant and just abandon the platform. Let them be right, let them win the
argument but lose the battle with the general public.

~~~
akuji1993
I'm still completely convinced that this whole scandal will not damage
Facebook a bit, in the long term. Yeah, the stock is going to be a bit lower
for some weeks, some people will leave, but the largest part of the Facebook
users has not even realised the scandal in full scale. They're not going
anywhere, they're going to continue as is, since there really is not
alternative for Facebook right now and tbh they would just probably do the
same thing to their users so why bother. The only solution for people
concerned with this is giving up on social media all together. The majority
however won't care at all and still continue using Facebook.

~~~
OliverJones
> the largest part of the Facebook users has not even > realized the scandal
> in full scale.

Exactly. That's why they must be regulated. Pharma companies, food companies,
and airlines, to mention three, have the same sorts of characteristics in
their businesses.

Examples: Airlines have regulations because the typical user has no way to
evaluate maintenance regimes or navigation procedures. The big information-
hoovering dotcoms need the same sorts of regulations for the same sorts of
reasons. "We obtained user permission" needs to be a stronger claim than "we
tricked users into checking a box."

~~~
kingofhdds
No, in fact, airlines have regulations, because big flying objects loaded with
fuel are kinda seriously dangerous, and can kill (not in un*x console meaning
of the word) lots of people at once. Very unlike social platforms, to be fair.

If regulations were introduced because of users not knowing what's good and
beautiful, believe me, IT industry would be the most regulated thing in the
world.

~~~
zzzeek
airplanes are kind of unlike banks and trading markets too yet those are also
heavily regulated.

~~~
aylmao
To be fair, banks and trading markets affect the economy directly, which is a
primary concern of the government.

------
osteele
“Privacy means people know what they’re signing up for. In plain English, and
repeatedly. That’s what it means. I’m an optimist. I believe people are smart.
And some people want to share more data than other people do. Ask them. Ask
them every time. Make them tell you to stop asking them if they’re tired of
you asking them. Let them know precisely what you’re going to do with their
data. That’s what we think.” — Steve Jobs, 2010 WSJ AllThingsD Conference

Video:
[https://www.youtube.com/watch?v=39iKLwlUqBo&app=desktop](https://www.youtube.com/watch?v=39iKLwlUqBo&app=desktop)

Transcript: [https://www.digitalmusicnews.com/2018/03/25/steve-jobs-
user-...](https://www.digitalmusicnews.com/2018/03/25/steve-jobs-user-
privacy-2010/)

Recent article: [https://qz.com/1236322/apples-steve-jobs-tried-to-warn-
faceb...](https://qz.com/1236322/apples-steve-jobs-tried-to-warn-facebooks-
mark-zuckerberg-about-privacy-years-before-the-cambridge-analytica-debacle/)

~~~
zbentley
It's almost like the company he headed made next to no money from selling its
users' data.

Sarcasm aside, it's a good quote, but misses the crux of the issue:
incentives. User data sharing/selling (whether through partnerships or
advertisement targeting) is Facebook's revenue model. Everything else they
make money off of is insignificant compared to that. This, I think, is what
people mean when they say something is "in a company's DNA": was a dubious
partnership with Cambridge Analytica or an only-deceptively-authorized
potential collection of contact/SMS data some sinister plot, or the goal all
along? Probably not. Was behavior like this considered less-than-scary to
Facebook's decision-makers, swept under the rug, or seen as a minor extension
of what they already do to make money? Almost certainly.

------
anilakar
I suspected this many years ago when familiar faces from our customers started
to appear in the friend suggestion box. I've never installed the FB app on my
phone, but our less privacy oriented customers probably have.

What pisses me off is that while I can choose what information I share, I
haven't given other people nor Facebook permission to read phone call logs
that involve me.

~~~
jobigoud
The worst part is that they probably suggested these various customers to
befriend themselves, just because they all had _you_ in their contact list.
Scenarios like these have been reported with unrelated patients of medical
professionals.

~~~
helloindia
Once I accidentally linked my Facebook account with Instagram. I was bombarded
with friend suggestions of people I follow on Instagram. I follow strangers in
Instagram when I like their photo feed. Facebook is only for family, close
friends and relatives. I linked Instagram with dummy Facebook account to flush
my Instagram profile of Facebook friend list and vice versa. There was no
other way to delink two accounts.

------
orbifold
Ok, well this is just great. So Facebook has all my contacts from their
aquisition of WhatsApp and even though I've never used any of their Apps or
had an account with them, I'm pretty sure everyone I typically communicate
with has the App and did not opt-out of this collection. So they get data on
me for free that the police would need a court order to get. This kind of data
retention has been highly controversial in Europe and is currently illegal for
carriers to do in some countries, even though the security services obviously
love it
([https://en.wikipedia.org/wiki/Data_retention](https://en.wikipedia.org/wiki/Data_retention)),
it is one of the few things I've actively politically fought against.

I _really_ hope they will eventually crater like all the other social networks
before them and I should have a way of asking them to delete all data they
have on me including meta data from sms/phone calls they might have collected.

~~~
mercer
My knowledge in this area is limited, so maybe others can pipe in, but
assuming massive amounts of data on millions (or most?) Facebook users is out
in the wild, which cannot be 'put back':

1\. how well can this be actually used currently to create a proper
psychosocial(?) profile of an individual? What's the current state of the art?
Any suggestions for books or papers to read on the matter?

2\. do we have any idea of how much our ability to do 1 will improve over
time, given the same data? I often find it difficult to separate the Derren
Brown style 'profiling' bullshit from what's actually possible. And I also
keep reading that 'big data' is not quite as easy to use as it's often made
out to.

3\. how valuable does this 'stale' data remain? Personality is by definition
supposed to remain stable, but I recall learning that even things like
friendships, political/world views, other non-personality characteristics are
relatively unchanging for most people after somewhere (early?) in their
twenties. This could mean that even if Facebook does privacy 'properly', or
somehow disappears, there's a rich dataset of individuals that, even if only
in the future, be shockingly powerful to manipulate. And we're already scarily
susceptible to manipulation using 'conventional' means.

~~~
rsync
"how well can this be actually used currently to create a proper
psychosocial(?) profile of an individual? What's the current state of the art?
Any suggestions for books or papers to read on the matter?"

I suspect quite poorly.

It's 2018 and I've been hearing pitches and narratives to do with fancy
targeting of advertisements and user profiling now for 22 years.

And what do we have ? If I search for something obscure related to an
(product), I will see _unbelievably blunt_ and almost comically generic
(product) ads for a week. Even if my search makes it obvious that I am not a
prospective customer.

What advertisers receive for their money on these platforms is laughable and I
am sure there's a complicated sales pitch with graphs and fancy terms of art
and mentions of "AI" ... and it's all just bullshit, just like it has always
been.

~~~
oselhn
I had one incident which convinced me that their algorithm is easily fooled
even by single misclick.

I hate ads propagating alcohol so I always report them to FB. Once I
misclicked and instead of reporting it I opened linked article. Based on that
click FB added alcohol to my interests. It did not matter that I reported all
other similar adds before and also after that.

~~~
eric_h
Whether the algorithms seem effective to you, as a single consumer of the
advertisements, is irrelevant.

Facebook ad campaigns most definitely work (though I'd imagine there's some
variance of effectiveness based on what exactly you're trying to sell with the
ad campaigns), and lookalike audiences are an effective way of determining who
to show your ads to.

It's really quite simple, as a company you can spend money on Facebook ads and
you _will_ get traffic/conversions/etc.

~~~
oselhn
I agree. But I reacted on comments disqusing if this algorithm is capable of
doing more than targeting ads to make them cost effective.

------
fimdomeio
I feel in a way very disturbed by all these news coming out. Not by their
contents, I don't feel there's nothing new here, but by the way way they are
written. Since when is it not known in the tech world that facebook's business
model exists around the idea of making a piece of legal spyware. At least
where I live it's unpolite to give someone's contacts to anyone without asking
the person first. I don't see why is it any different with facebook. Other
thing I don't understand is why aren't the users being paid for having
facebook accounts. If you look at it from a certain perspective, every like
and every photo is working for facebook, it does not feel like work but it is,
since you're creating the products that are being sold.

~~~
Joeri
Well, the users of facebook do get the facebook service in exchange for the
data they provide.

TANSTAAFL. If you don’t pay with money, you’re paying with something else.
Facebook is not a charity. The question is not whether they’re allowed to
obtain (non-monetary) payment for using their service, it’s whether it was
(and is) clear what the price is.

What irks me is why non of these services allow monetary payment. Why can’t I
pay for facebook with the express agreement that none of my data is sold? It
wouldn’t have mass market appeal, but it would silence many of the critics.
(Same deal for all ad-funded platforms: just let me pay with money instead of
time or attention.)

~~~
vincnetas
FB income : 15,920,000,000$ [1]

FB users : 2,129,000,000 [2]

$7.47/year

This is quite affordable. Curious how would marketing companies react to such
idea.

[1] [https://www.nasdaq.com/symbol/fb/financials?query=income-
sta...](https://www.nasdaq.com/symbol/fb/financials?query=income-statement)
[2] [https://www.statista.com/statistics/264810/number-of-
monthly...](https://www.statista.com/statistics/264810/number-of-monthly-
active-facebook-users-worldwide/)

~~~
jerrre
I keep hearing the argument that the people most likely to pay for not looking
at ads, are the most interesting to advertisers.....

~~~
pgwhalen
And it seems very plausible. I’m sure a HN reader is worth far more than $7.47
a year to Facebook.

------
Gaelan
The Facebook blog post includes this screenshot [0]. That's definitely an opt-
in, although I could imagine a non-technical person clicking through it
without reading the grey text. Better than nothing.

[0]: [https://fbnewsroomus.files.wordpress.com/2018/03/opt-
in_scre...](https://fbnewsroomus.files.wordpress.com/2018/03/opt-
in_screen.png?w=1152&h=2048)

~~~
jonathankoren
It is not "better than nothing," it is the minimum that is technically and
legally required.

The UI is intentionally deceptive.

The text is deceptive. The big text says "Text anyone in your phone," which
sounds great, but doesn't actually say anything about data sharing. The small
low contrast text, describes what they're doing. They know that by putting it
small and grey, most people wont read it.

The buttons are deceptive. It looks like there's only one button.

Even by putting all the permission stuff in a row on first startup is push
ploy. Everyone knows, people just keep clicking OK until they get to actual
app. People don't read the pages. People don't read the user agreements. They
just want to get through the roadblocks as fast as possible so they can get to
what they want.

None of this is by accident. All of these elements are chosen to push people
towards the desired outcome, to upload your contacts, SMS, and call history as
quickly as possible.

~~~
stefanmm
it appears to be a result of extensive A/B/C ... XY testing. In a way, the
users themselves have chosen it.

~~~
jonathankoren
That's an incredibly delusional way of framing it. What do you think the A/B
test was set up to optimize, privacy or number of uploads?

This permission screen is a push poll.[0]

[0]
[https://en.wikipedia.org/wiki/Push_poll](https://en.wikipedia.org/wiki/Push_poll)

~~~
stefanmm
number of uploads, obviously. Hacking the human lazyness.

~~~
jonathankoren
Well then it isn’t really much of choice is it? It’s a false choice. The
product manager will apply as much pressure as needed to get the desired
effect. To quote Captain Ramsey in Crimson Tide, “[Y]ou can get a horse to
deal cards. It’s just a matter of voltage.”

------
ibdf
I partially blame the Android permissions system. They are so generic you have
no idea what you are giving permissions to. Permission in this case: "Allow
INSERT APP NAME HERE to access your contacts?"

Access what? Read access? Write access? Get all of their name and contact
fields? Send them text messages? Call them? Spam?

If I don't give them the access, what happens next? Can I not use the app?
Will the app break? Will the app just ignore it?

There's no information. If you google it for more information you will have to
dig for it in some obscure google groups forum, and then yet it's not really
clear. Because when you google for Android App Permissions you get results
meant for Android Developers, and not normal human beings (jk about the normal
human beings part).

------
randomsearch
If you haven't already installed Signal on your phone, please go and do so. To
have alternatives to Facebook/W/I we need to build up network effects. Pretty
easy to convince tech people to do this, and it would be a good start for
getting Signal in as a replacement.

~~~
antoineMoPa
Is signal decentralized? If it is decentralized, how is the network effect
built? (Is everyone isolated on their server with a subset of all signal
users, or is there a way to communicate with someone using another signal
sever?).

~~~
srslack
It can be federated (and was in the past) but Moxie has complained about
federation holding development back.

[https://en.wikipedia.org/wiki/Signal_(software)#Federation](https://en.wikipedia.org/wiki/Signal_\(software\)#Federation)

~~~
sridca
> It is unlikely that we will ever federate with any servers outside of our
> control again, it makes changes really difficult.
> [https://github.com/LibreSignal/LibreSignal/issues/37#issueco...](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)

So doesn't that mean a single party will control Signal? What prevents them
from becoming the next Facebook?

------
eecc
Again this tells me the current security model is out of date. Permissions to
stop random hax0r to 0wn your root is basically useless. I don't care about
/var/www/... while I'd be desperate if my ~/Documents was whisked away by some
dodgy app.

Signed/Unsigned is only a stopgap, we need user friendly UX to control which
app has access to what data and even within the same app, establish Chinese
Walls between personal data access and networked code.

------
plasma
Facebook Messenger is keeps reminding me to let it access my contacts “to find
my friend”; after telling it no it stops reminding for a while then it comes
back again.

This attitude is just an example of the constant weasel to get access to the
data.

------
JepZ
Everybody is talking about Facebook these days, but is anybody considering to
delete his Whatsapp and Instragram accounts too? I mean, aren't they part of
Facebook nowadays?

Wouldn't it be consistent to abandon all Facebook services?

~~~
a012
I do, abandoned Instagram, Whatsapp, and FB for a year and I don't miss a
thing. Keep in touch with real friends instead of checking the virtual ones.

~~~
lotsofpulp
If you have international family/friends, WhatsApp is the most ubiquitous and
easy to use option I’ve come across.

~~~
seba_dos1
Honest question: Is it really? That can be just my network, but I've never
stumbled upon anyone using WhatsApp here in Poland. I only know this name
because I follow tech news. Almost everyone uses Facebook's Messenger, some
people use Telegram, sometimes Hangouts, gamers use Discord, techies Signal or
Jabber and that's pretty much it.

~~~
ng-user
When I was in the Nederlands last year they actually had public signage
advertising a WhatsApp group chat (for emergencies and the like) for the
surrounding community.

I was surprised by how popular it is.

~~~
drukenemo
I'm from Brazil, live in the Netherlands. Whastapp is ubiquitous in both
places. Not using it today is akin to not having a mobile phone years ago.

------
shard972
Could anyone here imagine if an application we installed on our computers did
this? What if the twitter app went around my computer after asking for admin
permissions to find all my contacts and messages from different programs just
to beam up to facebook.

Such a thing was considered a virus in my time.

~~~
AnonymousPlanet
Oh, if you have Windows 10, the vendor's assumption already is that the same
rules apply as with mobile platforms. In that mindset, there's little point to
differentiate.

------
rweba
I have been thinking about it and I think the issue with Facebook in
particular is how AGGRESSIVE and CARELESS they have always been in violating
privacy. Just like Uber their philosophy is "It's easier to get forgiveness
than permission". And of course they have an official slogan of "Move fast and
break things".

So all these different controversies are not just a coincidence but are very
much baked into their organizational culture. They are obsessed with winning
at all costs and clearly see privacy issues as just inconveniences to
achieving their goals.

I am not sure if it is possible to imagine a social network that truly
respected privacy at its core, that didn't try to get away with as much as it
could, that put its users interests ahead of increasing Daily Active Users.

But if Facebook actually operated like that, I suspect there would be a lot
less concern.

I don't know if that is even possible though.

------
on_and_off
I remember working on integrating facebook with an app I was working on
several years ago. It was in the pre-M days, so Android was still using the
old install time permission system.

As soon as facebook would be installed without even running the app, it would
access the contact database and do network operations (very probably uploads
.. ).

For this reasons, well among many others, I never installed the facebook app
on one of my personal devices at the time.

In their credit, when M arrived, they have updated their app pretty quickly to
the new permission model.

Still, I try to be as conservative as possible with critical permissions.

The only one I regret is whatsapp now that facebook owns them.

~~~
cpv
This is an issue for other messaging clients as well, having the "Sync
contacts" enabled by default. So by the time you get in the settings to
disable, your contacts might on a server already.

~~~
on_and_off
Yeah, it always made me frown when at the time people were using the hidden
API to remove permissions manually after install .. (and complain when Google
removed that testing tool before shipping proper incremental permissions in
the next release). That's just not how it works.

Thankfully now that permissions are incremental, this issue is solved.

Except some apps still target an old API in order to keep install time
permissions .. like SnapChat.

This will soon no longer be possible since Google will force apps to target
the last API level.

Still, people don't seem to realize what giving an app access to 'contacts' or
'SMS' means.

I am not sure how to solve that tbh :/

------
moistoreos
The issues surrounding Facebook are systemic to our corporate environment and
culture. So, really it's a multifaceted problem that the media has disguised
as Facebook's sole problem.

They're an American company so profit is of course precedent over everything
else. If users are naive enough to think everything they ever did on Facebook
could be private, then they just cease to use it for private communications.

Culturally, there's a giant lack of people wanting to actually pay for most
things digital. I don't see why it's ok to pay $5 for a mobile game on your
phone but people aren't willing to fork over $10/yr for a modicum of privacy.

Should take a poll on this....

Thoughts?

------
krick
Since here's yet another thread about Facebook, I'll ask somewhat unrelated
question I already asked on HN, but never seen an answer: can somebody
explain, why the scandal around Cambridge Analyica (and, "suddenly", a bunch
of other rumors about FB) escalated just now, even though we knew about FB,
Cambridge Analytica & Trump for about a year at least (well — I knew for a
year, sure lots of people knew earlier)?

I suspect I know the answer, but I have faint hope that it's not true and
somebody can provide a bit more "sane" explanation.

~~~
p49k
For me, it was because a year ago there was only one source for this info, and
it was a somewhat dubious one (Vice). I assumed after the initial report that
what CA did was more in line with Obama’s tactics, which were more benign and
standard. It’s only recently become totally clear that the worst of the
reports were true.

~~~
bhtru
Scout.ai was where it first broke I believe with their “The Rise of the
Weaponized AI Propaganda Machine” piece from last Feb.

------
p4bl0
Err, seriously is that their defense? Even with permission, why would they
need those personal data for any legit purpose that their users would deem
useful?

------
aembleton
I've just installed NetGuard [1] and found both Facebook and Messenger apps to
be very chatty. I guess I expected that. But what suprised me is that my SMS
app, Textra [2] was making calls to graph.facebook.com. I have paid for the
app so there should be no need to contact Facebook to provide advertising.

As it is just there for SMS, I've completely removed it's access to the
internet which is possible through NetGuard.

1\.
[https://play.google.com/store/apps/details?id=eu.faircode.ne...](https://play.google.com/store/apps/details?id=eu.faircode.netguard&hl=en)

2\.
[https://play.google.com/store/apps/details?id=com.textra&hl=...](https://play.google.com/store/apps/details?id=com.textra&hl=en_GB)

------
CodeSheikh
From FB official statement: "When you sign up for Messenger or Facebook Lite
on Android, or log into Messenger on an Android device, you are given the
option to continuously upload your contacts as well as your call and text
history."

Why FB needs users call and text history in first place? These privacy options
are enabled by default when you install Massenger app and majority of the
people are not aware of these privacy settings on their phones. And even if
you alter a privacy setting on you phone then upon next update of the
Massenger application it gets reset to defaults! And we all know the high
frequency of app updates. It is like all of these are part of a bigger
systemic issue and it smells foul play.

~~~
MikkoFinell
They need call and text history to data mine so they can make money off of you
by selling ads, and creating a psychological profile that will help make their
products more intrusive.

------
reacharavindh
So, this happened and we have confirmed about the dark patterns whether
consented or not. What are good alternatives in this "Network effect" age?
Facebook - I hardly use anymore. It exists undeleted because it serves as a
kind of Social ID. I don't have the App installed anywhere, neither do I
access it from my regular browser.

The thing I'm struggling to get alternative for is WhatsApp. How could I talk
to all my contacts in a cross platform way without annoying them about
installing yet another app?

Text/SMS - costs money because of shitty carriers.

IMessages - Works great but only on iPhones. :-(

Signal - good on paper - still have to trust Moxie not selling out, and needs
people to install to be any useful.

~~~
kome
Also: Facebook works on every platform, while at Signal they have a strange
cellphone fetish.

I would _love_ to use Signal, but I have to use Telegram. The Telegram desktop
app is awesome, and it doesn't need a cellphone.

~~~
anilakar
Signal has a desktop app nowadays and Telegram still requires a phone number
to use.

While Signal's QR code pairing method is more awkward than Telegram's SMS one,
it also prevents your account from getting hacked remotely in Iran by stealing
your SMS messages:
[https://securityaffairs.co/wordpress/49976/intelligence/tele...](https://securityaffairs.co/wordpress/49976/intelligence/telegram-
massive-hack-iran.html)

~~~
kome
But with Signal you still need a smartphone (i.e: very bad for privacy); while
with telegram you don't. Also, with Telegram you can protect the account with
a password, so you can use a burner phone, literally once, and then forget
about it.

~~~
def_true_false
With Telegram you have no privacy - no one uses the e2ee (secret chats).
Perhaps because the desktop client doesn't support the feature, and even if it
did, secret chats wouldn't sync across devices.

~~~
kome
it's not like the chats are in clear text, because they are not. They aren't
encrypted e2e, but they are still encrypted.

------
roel_v
So I downloaded my facebook data a few days ago and there were no phone nrs in
there, no call history, actually much less of everything than I thought they'd
have. Are they lying to me or does this depend on other factors?

~~~
WA
I’d argue the data arcchive one can download are incomplete. One, it’s missing
Likes.

Second, I never put my phone number in Facebook, but I know they have it,
because at one time, it was pre-filled in the _enable account recovery by
phone_ -dialog.

So what you can export isn’t the full story. The question however is: how do
you prove that and really ask for ALL data they have on you?

~~~
iaml
Are you sure it's not your browser auto-fill?

~~~
robryan
Or just harvested out of a friends contacts who has the phone number and email
address.

~~~
WA
Exactly. My point is: FB has way more data about me than the download archive
of my data contains/suggests.

------
spdy
The problem is not collecting its connecting the data with users who did not
give permission.

The social graph should be one way not two-way and unrelated data should be
discarded.

Like in the post we had a few days ago where someone exported his Facebook
data and got call histories from his mother in his data.

------
fortythirteen
What is the legality of Facebook recording the SMS conversations of someone
who never signed up for FB, but whose text messages got caught in the feed of
someone who did?

Secondly, were they just siphoning text or did they get a whole bunch of nudie
photos too?

------
drawkbox
Much of this blame goes on Android and some on iOS/Apple.

The phone/call permissions, especially for Android, were needed for any app
that wants to suspend when a call comes in and for analytics/social libs.

I always hated that about Android especially because even harmless games made
it look like you were taking contacts and monitoring calls.

Of course this would be abused and it is all over the place. Unfortunately
lots of apps/games are specifically built to harvest data and this was a major
flaw in their permissions handling. You shouldn't need a monitor phone calls
permission to allow a call to come in over your app while someone is using or
playing it.

~~~
orb_yt
> The phone/call permissions, especially for Android, were needed for any app
> that wants to suspend when a call comes in.

No they weren't

~~~
drawkbox
You need/needed READ_PHONE_STATE if you wanted to suspend your app data/saving
and allow calls to be accepted you did.

For instance you are playing a game and a call comes in, you needed them to
allow that and to possibly not crash your game and save your data as well as
for some analytics/social network integration.

Also if you allowed os level music to be played over game audio, you need that
to handle music and app state when a call came in.

It was/is a default on many large app platforms including game engines like
Unity and any social network app integration such as Google Play Game Services
and Unity analytics [1][2]. When you have READ_PHONE_STATE you could get the
number and more.

For games it wasn't such a big thing but for apps like Facebook that are
always running and kept alive playing a silent sound [3], it could get every
call that ever came in on record and apparently did. With these holes, apps
could scrape everything and they did [4].

[1] [https://forum.unity.com/threads/unity-5-1-adds-android-
permi...](https://forum.unity.com/threads/unity-5-1-adds-android-permission-
read_phone_state-automatically-how-to-remove-it.333431/)

[2] [https://stackoverflow.com/questions/39668549/why-has-the-
rea...](https://stackoverflow.com/questions/39668549/why-has-the-read-phone-
state-permission-been-added)

[3]
[https://www.reddit.com/r/iphone/comments/3opxhm/facebook_app...](https://www.reddit.com/r/iphone/comments/3opxhm/facebook_app_appears_to_use_silent_audio_for/)

[4] [https://arstechnica.com/information-
technology/2018/03/faceb...](https://arstechnica.com/information-
technology/2018/03/facebook-scraped-call-text-message-data-for-years-from-
android-phones/)

~~~
icebraining
Where's the reference that you needed READ_PHONE_STATE to suspend your app?
Shouldn't the app be automatically suspended when the caller app goes into the
foreground?

~~~
drawkbox
The Facebook app itself is the real issue as both the Facebook app and
Facebook Messenger require everything including READ_PHONE_STATE and contact
permissions and pretty much everything[1][2].

> _Where 's the reference that you needed READ_PHONE_STATE to suspend your
> app? Shouldn't the app be automatically suspended when the caller app goes
> into the foreground?_

Mostly for analytics and social platforms to access unique identifier for
analytics you needed it such as in Unity up to 2015 [3][4].

> _The Android build enforces READ_PHONE_STATE if the code has references to
> SystemInfo.deviceUniqueIdentifier. INTERNET is added when any network
> classes are referenced. ACCESS_NETWORK_STATE is added when calling
> Application.internetReachability_

Also, early on it was required for saving state and or ensuring the app didn't
crash. Mobile OSes were moving fast and without it the apps didn't auto
suspend which they mostly do now. You can see some of this discussion in the
links I included above. Anything older than Android Ice Cream required it as
well.

It is added in by many plugins as well such as Google Game Play Services or
other Analytics packages that most people didn't check. There was a reason the
market was and is flooded with analytics packages.

It seems to re-pop up in analytics packages quite a bit and many aren't
checking close enough per this example 2016 [4][5][6][7].

Largely it is due to people just building and shipping fast, there are other
things that trigger it but the most common are doing things on suspend when a
call comes in or to help allow the music to play in your game/app and turn off
when a call comes in or analytics packages.

For the most part it is not needed now but up to 2016 it still was in many
areas since Android started.

[1]
[https://play.google.com/store/apps/details?id=com.facebook.k...](https://play.google.com/store/apps/details?id=com.facebook.katana)

[2]
[https://play.google.com/store/apps/details?id=com.facebook.o...](https://play.google.com/store/apps/details?id=com.facebook.orca)

[3] [https://answers.unity.com/questions/987433/read-phone-
state-...](https://answers.unity.com/questions/987433/read-phone-state-
permission-since-51.html)

[4] [https://forum.unity.com/threads/unity-5-1-adds-android-
permi...](https://forum.unity.com/threads/unity-5-1-adds-android-permission-
read_phone_state-automatically-how-to-remove-it.333431/#post-2202146;)

[5] [https://stackoverflow.com/questions/39668549/why-has-the-
rea...](https://stackoverflow.com/questions/39668549/why-has-the-read-phone-
state-permission-been-added)

[6] [https://github.com/facebook/facebook-sdk-for-
unity/issues/58](https://github.com/facebook/facebook-sdk-for-unity/issues/58)

[7] [https://forum.unity.com/threads/read_phone_state-
permission-...](https://forum.unity.com/threads/read_phone_state-permission-
auto-included-when-newest-unity-facebook-sdk-versions-installed.469820/)

------
apricot
"Without permission." Translated: our lawyers say that some part of the
50-page user agreement you clicked can be interpreted in a way that
technically allows us to do this.

------
Maro
In the last days, FB stock has lost ~15% of its value (from $185 to $160),
that's like 2 Twitters..

Next earnings call will be early May probably.

~~~
tehlike
There will be a rebounce, if EFX is any indicator, and FB is a hotter stock
with higher profit margin.

~~~
Freestyler_3
unless it takes a turn for the worse.

~~~
tehlike
Everything is possible. Part of last weeks action was cummulative plunge in
the stock market, trump's trade wars, rising rates, and so on.

------
bborud
Well, the whole point is that people are not aware of what they have opted
into and Facebook exploits this for all it is worth.

------
superkuh
It's weird that people can get so upset about these limited excesses of
surveillance by companies they've given explicit conset to when more and more
of the governments of the world are literally recording everything forever and
sharing it with a rapidly expanding set of organizations made up of the same
kind of people.

~~~
SlowRobotAhead
I’ve this comment written a lot here. And while I get it and even agree
partially, there is a problem of scope and precedent.

It’s easy for _us_ to say _“stupid user, wtf did you think fb was doing?”_
But, the truth is _we_ don’t actually know.

As tech people _we_ are even just guessing at the real scope of FB’s
collection and how they use that data. It’s not like this is something a
typical user could really know because there hasn’t been a Facebook before.

~~~
superkuh
And I didn't have to know because I never signed up for Facebook because it's
obvious that centralization leads to perverse incentives. It's been obvious
from the start but dismissed without consideration ala
[https://xkcd.com/743/](https://xkcd.com/743/)

~~~
SlowRobotAhead
Yea, but as to the comic, man sometimes you really do just need to get some
fucking work done. If I sent an openLibre document around to my company, well,
that would be dumb.

~~~
superkuh
That's reasonable. But it isn't reasonable to let your personal choices be
dictated by where you work. I'm not saying use LibreOffice for work. I'm more
saying that you shouldn't let your work define your opinions.

------
mrarjen
I always enjoy these lawyer correct texts by facebook and how we all know it's
been going on for a long time now. If only the general public would suddenly
all figure this out!

It's 50/50 now if everyone will forget this next month, or if the new trend
continues to remove facebook.

~~~
hux_
Yup. Everything has been reduced to generating memes/outrage and reacting to
them.

Only exit from the trap is turn off the internet.

------
qwerty456127
Of course it does and can deny it - isn't a user forced to grant the
permission when installing the app?

IMHO Google is to stop abuses like this on the Android OS level by means of
allowing users to deny any particular permission an app demands and still
install the app, encouraging users to grant/deny every particular permission
consciously and forcing the app authors to handle denial of any particular
permission gracefully without crashes and without denying to function (but in
the cases when it is absolutely physically impossible to fulfill the function
the user invokes without the missing permission).

~~~
acqq
Both Google and Apple should provide "middle" controls. Even if I grant the
app "access" to my contacts, I want to be able to select "which" contacts and
which fields.

E.g. if I use whatsapp for 3 people out of my 100 contacts saved in my phone,
I want to be able to give to whatsapp only the access to the phones of these 3
contacts. Others should be invisible for whatsapp, if I want so.

And they should not get the addresses, birth dates and my notices about even
these 3 contacts. They should not be able to see them, unless I explicitly
want to allow.

I know, users are lazy, but at least the fine grained control and white-
listing should be an option. Now it's all or nothing.

~~~
pishpash
There are rooted utilities that do this, or allow you to spew fake data at
those apps. That is, if you could unlock your bootloader and install the
software you want.

You should really blame phone manufacturers/carriers and Congress for giving
you the privilege of paying for a piece of locked hardware that you don't own.
They're only loaning you a billboard, after all, so what do you expect?
Personally I wouldn't put any important information on a locked device, nor do
I ever acquire unlockable devices. People have lost their minds giving up all
of the most important electronic freedoms that form the backbone of the
future.

~~~
qwerty456127
> nor do I ever acquire unlockable devices.

Do you mean non-unlockable?

~~~
pishpash
Yes, that's what I meant!

~~~
qwerty456127
As far as I know the selection of officially unlockable phones is extremely
humble. Unlocking a phone usually means using hacks voiding warranty and/or
violating licenses. I absolutely support the people choosing to go this way
morally (and am one of them myself) yet I think it's sad that people are
forced to do illegal-ish hackery to configure their phones a reasonable way
and protect their privacy. I have also heard about a man that was put in
prison for hacking his nintendo so the whole thing gets scarier and scarier.

------
kerng
We should be thankful that they haven't cross shared the WhatsApp contact info
- they probably have a similar stream of information on that side.

~~~
icebraining
Yes, they did:
[https://www.theguardian.com/technology/2016/aug/25/whatsapp-...](https://www.theguardian.com/technology/2016/aug/25/whatsapp-
to-give-users-phone-number-facebook-for-targeted-ads)

------
lucb1e
I'm sure they had their "permission" on page 27 of the terms of service. This
isn't news...

My opinion is still that those terms of services are silly. If I ever do start
my own business, one of the things on the checklist is to have a minimal, if
any, terms of service, because nobody wants to waste time reading them, and
99% of what is in ToSes is in the law anyway. Except, of course, data
collection beyond functional requirements. That would be a good thing to hide
in long ToSes.

~~~
underwater
If you read the TechCrunch article you wouldn't have to guess where it was
shown. There is a screenshot of the prompt that shows that the prompt and
explanation "Continuously upload info about your contacts like phone numbers
and nicknames, and your call and text history." Your solution of hiding this
information in a minimal terms of service is strictly worse.

My take away is that you can tell users exactly what you're doing and they'll
still be outraged. So don't do creepy stuff.

~~~
mehrdadn
I got my contacts uploaded at some point despite always making sure to reject
their prompt. I'm sure people will claim it was just a "bug" or I must have
just mistapped (which I have no reason to believe was the case, but how would
I prove this), but either way, it's oddly convenient how it works out for
them.

~~~
underwater
That is worrying. The iOS security model would have served you better;
Facebook could never accidentally forget you’d said no.

~~~
mehrdadn
> That is worrying.

Indeed. :\

> The iOS security model would have served you better; Facebook could never
> accidentally forget you’d said no.

Interesting, so you mean this is the case even if I uninstall and reinstall
the app? What if I wipe the OS and reinstall (as "cleanly" as is possible)?

~~~
josephg
In the iOS security model there's no fixed grab-bag of permissions you accept
when an app is installed. Instead the app must explicitly ask for access to
each credential on an as-needed basis while the app is running. The request
must happen when you request to use that particular feature. And the app is
expected to continue working if you say no; just with the corresponding
features disabled. So for example, on iOS whatsapp only requests camera access
when you try to take a photo in the app.

If you say no, facebook can't access the data. Facebook can't conveniently
forget that you said no and access the data anyway - if you say no at the
system prompt, the OS won't give the app access to that data in the first
place.

The system isn't perfect - it turns out my mum wasn't getting chat
notifications on her iphone because she doesn't know what notifications are
and she's been saying no to the prompts. But I find it somewhat refreshing to
see beginner users erring on the side of saying no, rather than always saying
yes to every random prompt the computer spits out. Fail-private is better than
fail-public.

~~~
mehrdadn
I don't think Facebook ever "forgot" what I said, rather it was that I was
reinstalling the app for whatever reason, so it really didn't have that
information. That's why I asked what would happen if something similar
happened on iOS.

Also note that Android's new security model (version 6+?) is pretty similar to
what you described, but yes, I do believe this incident occurred on an older
version.

------
intrasight
FB can't collect call and SMS data from my browser ;)

It was so patently obvious that they would do this with any app that I am
surprised there's a stink being made about it now.

I don't understand why people fall prey to the "install our privacy invading
app" when the service works just fine via a browser.

------
Aissen
Should we talk about Google's shoveling of Google Now, err feed, err
Assistant, by constantly asking for us to pay with our position, search and
vocal history ?

And this is pre-installed on the phone, with the same dark patterns that would
push any non-privacy conscious person to activate it, even by mistake.

------
ibdf
It's time for a decentralized social network to be formed that's not guided by
advertising money, therefore no need to collect data. The only platform that
does something similar that I know of is mastodon... are there other
alternatives?

~~~
CraigRood
I think we should go one level deeper and build an open low level
decentralized protocol. that allows others to create networks and 'feeds' on
top. The data should belong to the person and the app/website should provide
the features.

------
eecc
does the damn opt-in always nag users every time the app opens? Something like
that awful LinkedIn prompt to vacuum your phone's contact every time you dare
use the app?

------
randomsearch
Facebook should seriously consider offering premium accounts with no
advertising and extra benefits. Extra privacy guarantees. Invitation only,
gradually roll it out.

~~~
noxToken
I don't understand the context of your post.

"Pay us money, and we won't allow companies to manipulate you via
advertising."

Or

"Pay us money, and we won't use every tool at our disposal to suck every bit
of possible data out of your life"

Both of them are gross, and no user should be subject to either of those
dilemmas. I'm not saying that every product should be free of use without any
cost. Advertising is absolutely necessary to keep certain products and
services free. Some companies take it too far though.

Put it this way: eating beef requires that a cow is slaughtered. Should we go
for the painless, instantaneous kill, or since it's going to die anyway,
should we vivisect it?

------
wizardforhire
Granting permission isn't a default setting obfuscated by deliberately poor
interface design and reset everytime you decide to update your api.

------
estevaovix
Facebook will fall at some point, it’s a disease.

------
dotdi
We all know that a "denial" means jack shit nowadays.

------
ggm
meaningful consent is a thing.

------
HugoDaniel
Facebook is in denial

------
nukeop
"Without permission" is the crucial part. Of course, you have to give the app
the permission to do it when you install it, otherwise it will refuse to run.
That is why the Android permissions model is fundamentally broken.

~~~
wakeywakeywakey
Could you explain how permissions could be better achieved? Also, could you
provide examples of platforms with good permission/security model?

~~~
lovelearning
CopperheadOS[1] has a good permission model (compared to stock Android).
Notice that they had implemented a better permission model over Android's even
in older Android versions which didn't have runtime granular permissions. It
proves what the ad company Google itself _could_ have implemented in stock
Android had they not been an ad company.

CyanogenMod's Privacy Guard[2] - basically a proxy that sits between the apps
and the ContentProviders, and provides user-configurable "fake data" \- was
another good approach. Not sure if its successor LineageOS has this feature
working - a search shows user complaints that it doesn't work as expected -
but I hope it has retained the feature.

I feel a distro that combines both approaches would have been best. Both
approaches also prove that there was no technical impediment to implementing
them in stock Android.

[1]: [https://copperhead.co/android/docs/usage_guide#permission-
mo...](https://copperhead.co/android/docs/usage_guide#permission-model)

[2]: [https://www.androidcentral.com/cyanogen-os-privacy-guard-
kee...](https://www.androidcentral.com/cyanogen-os-privacy-guard-keeping-apps-
seeing-your-data)

~~~
eh78ssxv2f
> It proves what the ad company Google itself could have done had they not
> been an ad company.

I think you make fair points, but I think this does not prove anything.
CopperheadOS has a different user base than Android. A permission model that
CopperheadOS users understand (e.g., CopperheadOS users are likely to be more
technical) may not work for Android user base.

~~~
lovelearning
Their existence proves what was possible in stock Android. Why it didn't
happen that way is open to speculation.

Personally, I feel it was because Google's main business did not, and does
not, provide any incentives to design stronger permission and privacy models
because it itself depends on collecting information about users.

Was usability also a factor? It may very well have been.

However, I disagree with a thinking that uses usability as an excuse to treat
a user base numbering in the hundreds of millions as a homogeneous set who
don't know anything, and who can't learn anything new.

People fall in a spectrum of capabilities, and more importantly, every
individual is capable of moving around in that spectrum with time.

For example, a non-technical user who started out giving one app all
permissions may realize their mistake when their email or phone number turn up
in google searches, and become more careful with other apps.

Stock Android could have catered to that and standardized on a very granular
runtime permissions as the default model. They already had existing ACL models
like iOS / Windows policies / SELinux to copy from. They could have left the
simplification to the market - the equipment manufacturers and users - to
decide. But stock Android made it a binary all or nothing choice for a long
time, and left it to equipment manufacturers to provide any additional
protection, who of course didn't implement anything either because they too
had no incentives to protect user information or standardize the security
APIs.

Even now, Android's runtime permissions, while comparatively more granular,
are not granular enough, and in practice become a binary choice where some
apps refuse to work if a particular permission is not granted.

I have also noticed how Google in their PlayStore keep the permission
information hidden away in an obscure location at the bottom of the page, and
don't provide any way to filter apps by permissions. How do I search an app
that lets me draw on images without asking for contact book information? Not
possible without opening every app's page and checking their permissions. I
usually try a bit, give up, and head back to gimp on desktop. Is it for better
usability? Does better usability mean keeping users ignorant and uneducated? I
think it's not a good approach, and based on anecdotes from my personal
network, I also think it's a mistaken assumption.

------
bigiain
I notice the Facebook response is all written in present tense - technically
not specifying whether they were abusing the laxness of android v16 up until
Oct 2017...

And I trust everything Facebook say precisely as much a Zuckerberg told us all
we should with his much-quoted quip "They trust me. Dumb fucks."

~~~
hnarn
I feel like if you should quote a very inflammatory and controversial "quip"
you should at least provide a source. Maybe I'm the only one on HN that hasn't
heard about it, but even so, sources shouldn't be omitted.

~~~
sah2ed
[https://en.wikiquote.org/wiki/Mark_Zuckerberg](https://en.wikiquote.org/wiki/Mark_Zuckerberg)

~~~
hnarn
So, do you feel it's irrelevant to mention that it was said in a chat
conversation, in 2004 when Zuckerberg was 20 years old? I'm not saying that
makes what he said completely fine, but it's not irrelevant for context.

~~~
sah2ed
I wasn't the one you originally replied to but it looks like you are shifting
the goal posts here.

> _Maybe I 'm the only one on HN that hasn't heard about it, but even so,
> sources shouldn't be omitted._

You asked for sources and I merely provided one such source as "proof" that
Zuck actually did use those words in the past.

~~~
hnarn
Sorry, you're right that I mixed you up with whoever posted the original
comment. I do think context matters though, of course that makes no sense to
say specifically to you.

------
andrew-lucker
If journals are going to rehash Facebook blah word by word, syllable by
syllable, then I expect free endorsements to alternatives. It's a small public
service in exchange for the free content and clicks.

