
Facebook scraped call, text message data for years from Android phones - node-bayarea
https://arstechnica.com/information-technology/2018/03/facebook-scraped-call-text-message-data-for-years-from-android-phones
======
wlesieutre
Android's permissions system for stuff like that is indefensible. Anything
with severe privacy implications like "years of text message history" should
explicitly opt-in with a permission request popup at runtime like iOS has done
for features like camera since launch.

Of all the things to not copy from iOS, of course privacy is the one that they
decide to skimp out on. I'm glad they've started to catch up, but they have a
ways to go yet.

~~~
jon_richards
I hate that I can't send a photo to a friend without giving facebook access to
_all_ of my photos. Where's the "just this one" option?

~~~
ReverseCold
This is already possible, some apps launch a file picker app (what you're
supposed to do).

Instead, apps that want to steal your pictures request access to all of them.

~~~
Groxx
Android has a lot of nasty corners around stuff like this, which can prevent
being both streamlined (accessing all photos _does_ let you optimize for your
app, some people want that) and privacy-friendly (for people who don't want
that). My personal favorite:

If you don't request camera permission, you can still open the camera with an
intent. This is great!

If you _do_ request camera permission, and you are denied, _you can 't use
that intent either_. [https://blog.egorand.me/taking-photos-not-so-simply-how-
i-go...](https://blog.egorand.me/taking-photos-not-so-simply-how-i-got-bitten-
by-action_image_capture/)

I honestly can't tell if it's this way to be intentionally hostile to users,
or by accident, or if they honestly think this is a positive quality.

~~~
rasz
I dont understand your frustration, user clearly doesnt want to give you
camera access, leave him alone.

~~~
Groxx
"Give app X direct access to the camera, microphone, and all my photos
literally any time it pleases" and "use this camera app I trust instead" are
very, _very_ different desires.

Usually I hate the in-app cameras, because they're not optimized for my
device. They're usually slower, have no flash control, no zoom, no manual
exposure options, etc. I'd _almost always_ prefer to use a dedicated camera
app instead.

Because of this permissions decision, if an app wants to bake in a camera
thing (nearly every app that might ever touch the camera does, even if e.g.
only for a QR code reader or something), I can no longer choose. The app _can
't_ open my camera app when it makes sense.

------
helloindia
I removed my phone number from Facebook profile months ago. Now and then,
Facebook still asks me if "XXXXXX" is my number? Once I unintentionally linked
my Facebook account with my insta account. And then I started getting follow
suggestions from people in my Facebook friend list. I tried many thing to de-
link the accounts. Ultimately, I created a fake Facebook account and linked it
to my insta.

Once you give something to Facebook; it's never truly erased.

~~~
joering2
Good story. And I bet you there are lawyers in Europe sharpening their teeth
right now waiting for GDPR to kick in to send Facebook discovery letters just
a minute after April 1st pass. Need popcorn and comfortable chair, as the
stock is down 10%, and we've just started!!

Edit: May 25, of course.

~~~
adventured
I understand the blow-back against their privacy abuses, it's well deserved
(as it was in the past). However, this kind of response is just funny.

The stock is back to where it was in July. Up 100% in less than three years.

$464 billion market cap.

Things are really dire. They'll only earn $20 billion this year, growth will
only be 30%+.

They only have ~$43 billion in cash right now with zero debt. That's barely
enough to keep the lights on. They should shut down the business right now
before they run out of money.

The speeding tickets they might one day get from the EU, could cost them
hundreds of millions of dollars. But just imagine, what if it's $3 billion. I
mean, it's not like Facebook can reluctantly change several of its policies
while maintaining its massive 2+ billion userbase and keep right on printing
money at their 50% operating income margins. Yeah, but just imagine if their
operating income margins decline to only 40% because it crimps their business
model by reducing the value of their ad targeting. And what if it cuts their
growth rate in half? Under that scenario they might only earn $30 billion in
net income in 2021. It's a rough road ahead.

The other fun part? They'll still net add global users in 2018. None of this
is going to matter for the survival of their business, although it might
improve user privacy around the globe and that'll be a big win.

~~~
joering2
Unless another social network comes along and FB will die out loud like
Friendster and MySpace did.

If you think solid $ numbers are everything to keep "printing money" then see
what happened to Kodak or Sony.

~~~
Bahamut
Many have tried to take a slice of FB’s pie - almost all failed to make a
serious dent, and the main social media alternatives are also generally
struggling (or have serious fundamental issues of their own).

At this point, I’m very skeptical another company will unseat FB’s dominance
for quite a while, if ever.

~~~
alecco
And FB buys the competition or throws money at disarming it by buying its
competition and putting it on steroids.

------
Yoric
I realize that it's too late to cry over spilled milk, but that was one of the
reasons for which Firefox OS was developed. We wanted to push a different
permission model in which permissions were much more fine-grained and could be
audited and revoked easily. Sadly, one of the reactions of the development
community (including HN commenters) at the time was along the lines of
"Android is just fine".

I understand that recent versions of Android have moved towards adopting a
permission model closer to that of Firefox OS, though, and I suspect that the
example given by Firefox OS at least showed that it was possible.

P.S.: Yes, Firefox OS had other problems. Let's not try and idealize the past
:)

~~~
on_and_off
> and revoked easily .

I don't see how revoking permissions solve that problem. Once an app has
scraped your info, you can revoke it's permissions all you want, it is not
going to delete your data from its server.

------
koolba
What’s the supposed justification for scraping text message data? I mean the
contact list could be justified as a means of cross referencing friends. I’m
having a hard time coming up with a _legitimate_ use for text message data.
Best I’ve got is “ _who do you contact regularly?_ ” which is still insanely
creepy.

~~~
quadrangle
I think it's "This helps us orient both ad- and non-ad- content on Facebook to
fit you optimally and keep you on Facebook and also figure out why people keep
texting instead of using FB Messenger."

~~~
lostlogin
That’s not a justification that helps the user much though.

~~~
adrianN
Who cares about the user?

------
gruez
Funny how this is popping up now (presumably because some guy noticed his call
logs were in his facebook data download and tweeted about it), even though the
permissions in question (described in no unecrtain terms) were in the app for
years, and there was an explicit setting in the app to turn this on/off
[http://i.imgur.com/NRarWdh.jpg](http://i.imgur.com/NRarWdh.jpg).

~~~
derekp7
The problem is that apps need certain permissions to perform their function.
Such as a music app that needs access to the phone module, so it can pause the
music when a phone call arrives. This has the effect of users not paying
attention the the specific permissions, since in many cases the need for them
isn't obvious.

~~~
MBCook
Why? Why doesn’t the operating system do that for them? Why is it up to
individual applications to decide whether or not they want to pause music with
a phone call starts?

------
renaudg
I'm ex-FB and have it on good authority that this is indeed used to improve
the relevance of friend suggestions (i.e. distinguish between your best
friends and the plumber in your contacts). I'm also told it's opt-in, and the
app dialog (not just the system dialog) does say call logs will be scraped.

But still, IMO it's an incredibly invasive, incredibly dumb thing to be doing
in the current context for the small benefit it brings. I hope they wake the f
__* up to just how bad it makes FB look like to the outside world, and kill
this feature with fire.

------
noarchy
The mile-long list of app permissions requested by Facebook's app should have
been a red flag for most.

There are alternatives, such as using the mobile web interface, or any of the
various apps that wrap the site, such as
[https://f-droid.org/en/packages/it.rignanese.leo.slimfaceboo...](https://f-droid.org/en/packages/it.rignanese.leo.slimfacebook/)

~~~
spookyuser
The app permissions should have been a red flag, except some users probably
never even saw them since Facebook was pre-installed on their phones.

------
msoad
When you allow an app to access your contacts, they grab all of them and
upload them to their servers. It's less severe in iOS because they can't
access SMS and call logs.

------
paulie_a
I hope it is getting to the point that having Facebook on your resume should
be considered a huge red flag

------
TaylorAlexander
This is one of the things that led me to stop using Facebook last year. In
order to use the app you have to give it all manner of permissions. And of
course, if Facebook can access your data they’re going to suck in as much as
they can. They don’t respect you, they want to use you.

So put me in the “not surprised” category, but I’m really glad there’s more
discussion of this.

------
nashashmi
Yawn! We knew this was happening for years. FB scraped data for one purpose
only: To figure out who your close friends were offline. And they wanted all
sorts of information that could indicate closeness. From location data that
would show how often you meet up together and how long you hang out. To phone
call and sms data.

Now a lot of that data is dead data. Like it has no use after a couple of
years. But just like Google cookie having an expiration date of 20 years, FB
just does not know when that data becomes irrelevant.

FB and zuck have this manifest dream of figuring out connections and then
figuring out the strength of those connections. Then they want to figure out
social relevance. Then they want to use that info to bind people together on
their platform. It is not a bad idea overall, until you add in government and
corporate entities.

And by that time you know how evil of a thing you signed up for.

------
daveheq
MySpace allowed viruses on their platform; Facebook IS the virus.

------
fencepost
I'll throw in another place where permissions aren't nearly granular enough -
online file storage (Dropbox, Onedrive, Box.com, etc.). Perhaps I'd like to
allow an app to save information for cross-platform use or just because I want
it on my own personal cloud storage - 1Password's older versions are a great
example of this. I haven't looked at it recently, but I'm not aware of any
changes that add that level of granularity to the APIs.

What throws me is that I'd expect security conscious developers to be
clamoring for this. If I'm writing an app that should store data for users on
the user's own accounts, it's not "I do not want to have access to everything"
it's "I do want to NOT have access to everything."

------
jeswin
People had been running untrusted apps in the browser and collaborating over
the internet for more than two decades now. Mobile OSes threw out all the
safety lessons codified into web browsers and built an entirely new
permissions model. A decade later, here we are - there are hundreds of
companies holding varying levels of access to your entire contacts list, text
messages, GPS data, photos and other media. And all of them will hold on to it
for eternity.

I for one, am glad web apps are making a comeback. Now I use web apps wherever
possible, fully aware that I can't do anything about what's already been
shared.

------
foobaw
From my insider source, I'm told that permissions will change significantly in
the near future.

Just FYI: a lot of other apps also utilize the same permission. Just an aside
but Google also has the authority to whitelist certain applications for these
permissions - meaning they can enable certain invasive permissions without
asking the users.

We shouldn't just vilify Facebook. It was how the privacy framework was
designed for Android that's the issue. This will change in the next upcoming
versions.

------
kristianov
Their permission requests are outrageous. That's why I refuse to install any
apps from Facebook on my phone, and pollute my Facebook account with false
personal data.

Fake news for fake data:)

~~~
iKlsR
Has anyone seen the permissions being asked for recently, games want access to
contacts and to make calls. wtf?

~~~
derekp7
Isn't that so they can pause / save the game when you get an incoming phone
call? I recall reading that on an app once.

~~~
lostlogin
What platform? Surely android as you can do that in iOS without those
permissions and I would have thought you’d get rejected if you tried that on.

------
burfog
Users need to be able to mislead the apps.

Right now, an app can force a choice: enable all the permissions, or you don't
get to use the app. Users need to be able to feed fake data into the app. For
example, maybe Facebook should think I am spending my time with Bill Gates in
Bhutan. Users should be able to install dishonesty plugins to generate this
data.

------
deftturtle
I already suspected this due to getting more posts from my friends based on
who I texted, and they were Android users. It's fucking annoying. Also, using
the same wifi network leads to getting friend suggestions

------
shubidubi
I really don't get why people use the fb app. It drains your battery and
privacy, not to mention the notifications. I use web app only.

------
aj7
Is this possible with IOS? Or for people who have never shared their contacts
with Facebook?

------
johnnyOnTheSpot
What has changed at facebook to create all this negative feedback?

~~~
tmuir
The richness of the irony in your question makes me wonder about your level of
sarcasm.

On one hand, its pretty reasonable to say that absolutely nothing changed at
facebook. We are all witnessing the effects of latency.

On the other hand, the change(s) that has ushered in this uptick in negative
opinions in regards to Facebook will likely be the source of vigorous debate
for some time.

For one, this is just the latest example of habitual behavior on Facebooks
part, selling third parties more access to personal data than the persons
referenced are comfortable with. The response every single time has been for
Facebook to say roughly "We agree in principle that we slightly messed up, and
as our more than adequate self imposed penance, we will solve this problem in
secrecy with the completely untested technology that we've been working super
hard on ever since we discovered this problem 2 years ago, but only
acknowledged publicly as a strategic move when no better alternative existed
to preserve our viability as a corporation".

Additionally, the data subjects do not generally understand the power imbued
to the purchaser of that data at the point they give away that data. Further,
they possibly are giving up the legal right to any privacy stemming from what
that data may tell third parties.

In the context of all of these generally nebulous problems, is the growing
news story involving Cambridge Analytica's alleged use of Facebook's data, the
Presidents use of both of those, and the extent to which it can be argued that
voter outreach crosses a line in to deceptive psychological manipulation.

Its what folks in scientific fields refer to as evidence that supports, as
opposed to weakens, a falsifiable hypothesis.

------
mankash666
Google is as much to blame here as Facebook is. It shouldn't have allowed apps
with "contacts" permission to scrape sms & call logs. I hope both of them are
held accountable

~~~
stefan_
If I run a program, I don't expect it to scrape my home folder just because
technically my OS granted it permission to do so. And I don't think that is a
distinction the law makes, either. Intent and explicit consent matter.

~~~
gruez
Not a fair comparison because there's no sandbox for desktop apps.

~~~
gwbas1c
The app store is front and center on Mac. All apps are sandboxed by default.
Steam is another sandbox. A browser is a sandbox.

The problem is that it's hard to write an _interesting_ Mac desktop
application that runs in a sandbox. The kind of complexities that require a
full blown desktop application just don't fit in a sandbox. (As opposed to a
game, mobile, or web app.) Whatever runs in a sandbox turns out to be just a
prettier version of a web app, or a self-contained game.

~~~
comex
Nitpick, but I'm pretty sure Steam doesn't actually sandbox the games you
download through it.

~~~
AlexandrB
Nope, not at all. In fact many games on Steam come with their own _additional_
invasive DRM schemes that do all kinds of things you wouldn't expect.

------
sverige
This is completely unsurprising. The question is whether they should be
allowed to keep that data.

~~~
55555
Why the hell should they be allowed to keep that data?

~~~
jakeogh
Because you gave it to them. The alternative goes right to rules that prevent
everyone (not just FB) from remembering things, and ultimately more
censorship.

Is it just me or has a whole generation lost the concept of personal
responsibility? I don't use FB because it's been obvious for a long time this
was happening, and it's an awful platform, designed to socially engineer their
flock of product people.

Use products that you control. LineageOS + FDriod is a great start.

~~~
IAmEveryone
This libertarian utopia obviously breaks down any time you're presented with a
200-page Terms of Service. _Nobody_ has the time and/or skills to read and
understand the content at the level required for "informed consent".

Which is why societies have come up with a far better method: collectively
decide (or collectively choose people to decide) on reasonable limits for
certain types of transactions.

My German law professor used to say that she never read ToS. Because under the
country's law, they are either reasonable or unenforceable.

Such laws have nothing to with censorship. If you really need your users
private messages, you just have to more explicitly present them with the
choice, and respect their decision to say no without unreasonably denying them
service.

The US has far more lenient standards for such one-sided contracts, but the
basic principle is obviously the same: If Facebook were to add a paragraph
giving them ownership of your house somewhere deep in the ToS, they wouldn't
stand a chance in a court of law.

~~~
cctt23
I’m always amazed by the ability of libertarians to believe that in the
jungle, they’d be tigers rather than tiger shit. More often it turns out they
just have a grossly inflated opinion of themselves, as in this case. We’re all
human, all weak, and we all need to depend on each other a lot, it’s just the
way it is.

~~~
tmuir
I think that people who go out of their way to present what they believe are
alpha male characteristics are essentially hanging a neon sign above
themselves. That sign is begging for someone with those characteristics to
come along and fix the worlds problems in the way that the stereotypical Clint
Eastwood or Arnold Schwarzenegger character solved his problems. In other
words, an alpha male exerting his will, delivering satisfying one liners, and
saving the world.

Why else would nearly every single popular conservative media "character" be
so uncannily similar? Why did nearly all of those characters triple down on
this machismo roughly 18 months ago? Could it be that they got back the
results of their latest A/B test?

I think this all drives at the most interesting, world changing possibility
that could come out of this reckoning with Facebook. What will happen when it
becomes conventional wisdom that the true power of collecting all of this data
is not the ability to predict what you will do, but the ability to direct what
you will do? What will happen when it truly registers with people that this
necessarily removes their agency? What will prevent that critical mass from
making the trivial jump in logic that advertisers and public relations firms
have been progressively improving on these same skills to the same general
ends for a century?

