

Facebook, Flickr, others accused of reading text messages - pewfly
http://www.zdnet.com/blog/btl/facebook-flickr-others-accused-of-reading-text-messages/70237

======
droithomme
The article's headline seems misleading. In the article itself it seems like
what they are really saying is that due to file permissions it is technically
possible for applications to access this data, not that it is something these
companies are actively doing. They "can" access private data, which is not
surprising, but it is not established that they "do" access it.

~~~
Terretta
It's not "file permissions", it's the permissions that the Android app is
asking for, and you're granting it, at install time.

I've mentioned this here before: look at something like the weather channel
app on Amazon's app store, which requests an astonishing array of permissions,
including the permission to dial out silently without your interaction.

The Android apps, like Facebook apps, are overreaching, and training users to
accept the incursion in order to use well known apps, leaving them more likely
to accept the same from obscure apps.

------
bri3d
As I posted on a Facebook note from a communications representative at
Facebook linked by veyron [0], Facebook, Flickr, and "others" could mitigate
their "poor journalists write poorly-researched stories about us" problem by
not contributing to Android permissions creep.

If Facebook asks for the SMS permission but doesn't actively use an end-user's
messages, the end user is eventually more likely to accept a malware
application that asks for SMS permissions and then silently steals their
messages. Requesting feature permissions that aren't used visibly is terrible
practice.

I think Apple got this particular policy right: their review process screens
apps to make sure that visibly requested information is visibly used for
something in the application, preventing every application from asking users
for every bit of their personal information just to launch the app. In my
experience the actual execution of said policy is spotty and inconsistent like
the rest of the review process, but the idea is sound.

0: <https://www.facebook.com/note.php?note_id=10151330596285363> via
<http://news.ycombinator.com/item?id=3637869>

------
commanda
I'm assuming that by "smartphone" this article is only referring to Android
devices? As far as I know, it's not possible (without jailbreaking the user's
device) to get read access to SMS on iPhone.

------
tjoff
Not that I think they do read their users text messages but they so deserve
the backlash for requiring that permission.

And android needs some blame for not allowing their users to opt out of
granting that permission (alt. forcing the app to ask for them every time they
are used).

Apps that require too many/creepy permissions needs to be distrusted and this
is the only way that is going to happen.

No. I'd never install the facebook, flicker, whatever app if they require
access to contacts or sms and internet at the same time. I have sensitive
information in my contact-list and I don't trust anyone that is foolish enough
to actually ask for permission to read any of those, at install-time, with my
data. Simple as that.

Make a "private" version of the app that doesn't require those permissions or
no deal.

~~~
snupples
Why is Android to blame? The SMS permissions are clearly spelled out on the
install screen. As you said, you can opt out by not installing the app (or not
updating, in the case where a permission changes between versions). That said,
there's quite a few apps I was interested in that I chose not to install after
all once I got to the permissions screen.

If you think you should be able to line item veto app permissions, that's a
different subject matter.

~~~
tjoff
Because apps stealing user data is a real concern and the contact list as well
as sms can have sensitive data.

There are, after all, many legitimate reasons for having access to the contact
list and there are many legitimate reasons for not wanting to share it. In
android, as a developer, you have to decide whether you want a fully featured
app or an app that respects their users privacy. You can not have both in a
single app.

There is nothing that says you can't have both and doing so would be very
simple. Android doesn't do anything to help so that's why android needs some
serious blame for this.

Now people are getting used to ignoring the permissions (if all apps require
everything, why bother?) making them quite useless. If this continues they
could just as well just remove them (since the typical user wouldn't care
anyway).

~~~
snupples
Well it's not exactly "stealing" when the app is forced to tell you upfront
what it's going to "Edit SMS or MMS, read SMS or MMS, receive SMS". How more
explicit can you be?

~~~
tjoff
As much stealing as if the waiter borrowing your credit-card at a restaurant
decided to clean your bank account instead of charging for your meal.

But anyway, that is besides the point. The point is that google forces me to
trust the waiter when there is _no_ reason for it.

~~~
snupples
In Facebook's case I absolutely do not trust the waiter. I'm glad Google tells
me what the waiter has access to.

------
veyron
previous discussion: <http://news.ycombinator.com/item?id=3636287>

------
veyron
Facebook response:
<https://www.facebook.com/note.php?note_id=10151330596285363>

------
rikf
How ironic that a Murdoch newspaper is "exposing" breaches of privacy.

