Dmitriy Shpilko - Fotolia

Facebook app permissions skirted rules to gather call logs

New email messages revealed that Facebook app permissions were carefully implemented to avoid alerting users to the fact that the Android app was gathering call log and SMS data.

The troubles for Facebook continued this week, with a trove of internal email message as part of an investigation in the U.K. Parliament revealing questionable data practices, including Facebook's Android app permissions being designed to gather data without users knowing.

Despite a U.S. federal judge ruling that the email messages should be sealed, Damian Collins, chairman of Parliament's Digital, Culture, Media and Sport Committee, ordered the collection of 200 pages of internal Facebook email messages be released. He said on Twitter that this was done because the committee didn't feel it "had straight answers from Facebook" on important issues.

The email messages described various practices by Facebook, including entering whitelisting agreements to allow certain companies to continue to maintain "full access to friends data," linking access to friends data to the financial value of Facebook for developers and data reciprocity policies between Facebook and developers.

One of the more troubling revelations in the email messages regarded Facebook app permissions on Android. The email messages showed that, in November 2013, Facebook privacy and legal teams were working "to understand privacy risks associated with several Android permissions that will go out in the next release, including permissions associated with reading call logs and SMS."

Another email thread from February 2015 described a plan for the Facebook app permissions on Android to trigger a dialog and require users to accept call log uploads, but Facebook found a loophole that would allow the app to be updated "without subjecting them to an Android permissions dialog at all."

According to a summary of the email messages by Collins, "Facebook knew that the changes to its policies on the Android mobile phone system, which enabled the Facebook app to collect a record of calls and texts sent by the user, would be controversial. To mitigate any bad PR, Facebook planned to make it as hard [as] possible for users to know that this was one of the underlying features of the upgrade of their app."

Google did not respond to specific questions, but pointed out that runtime permissions -- allowing users to "see, grant and revoke permissions" before for apps at a granular level -- was introduced in Android 6.0 Marshmallow, which would have made Facebook app permissions more transparent. However, Android platform history showed that, despite Marshmallow being released in October 2015, Android 6.0 and higher wouldn't be installed on more than 50% of devices in the wild until mid-2017.

Additionally, in October 2018, Google locked down access to call logs and SMS data. The only apps that can access that data are the default Android phone and messaging apps.

In a blog post, Facebook responded by saying the documents were "cherrypicked," and the release "tells only one side of the story and omits important context." The blog post also gave a more specific explanation for the Facebook app permissions issue.

"The feature is opt in for users and we ask for people's permission before enabling. We always consider the best way to ask for a person's permission, whether that's through a permission dialog set by a mobile operating system like Android or iOS, or a permission we design in the Facebook app," Facebook wrote. "With this feature, we asked for permission inside the Facebook Messenger app, and this was a discussion about how our decision to launch this opt-in feature would interact with the Android operating system's own permission screens. This was not a discussion about avoiding asking people for permission."

Expert response

Andrew van der Stock, senior principal consultant at Synopsys, based in Mountain View, Calif., said Facebook app permissions on Android "[do] not adhere to the principle of least surprise."

"Facebook users would not have known or consented to surreptitious and invisible data collection. Not only does this violate privacy laws in many locations, including Australia and European Union, it erodes trust with their users," van der Stock said. "If Facebook were aiming for growth, this will likely have the opposite effect, as the stampede by users leaving the platform accelerates in light of these and other revelations."

Paul Bischoff, privacy advocate at U.K.-based Comparitech, said, "It's difficult not to use the word 'deceptive' to describe Facebook's tactic here. It would have been trivial to ask users to accept a new permission, but Facebook clearly thought it had something to hide."

According to van der Stock, the Facebook app permissions are another step in a troubled history.

"Facebook's history of privacy is one of continued unnecessary collection, such as when they changed your contact card on your phone to use a Facebook email address as the default email address. That is not OK," van der Stock said. "People willingly upload a great deal of information, so they can stay in touch with their families and friends, but many don't realize just how much metadata and actual data they are sharing. I am a Facebook user, and I do know the risks, but I would imagine most don't. I would love for Facebook to improve their transparency in this matter."

Bischoff gave Facebook some credit for giving users "pretty granular control over what other users and the public can see on their profiles," but said this was in contrast to the little information and control about what Facebook and its affiliates can access.

"By its very nature, Facebook runs contrary to the principles of privacy, and it has a long record proving as much. Relatively few people took it seriously until politics got involved. But the more than 1 billion people who use Facebook should be held accountable, as well," Bischoff said. "None of us should expect to get something for free; we pay to use Facebook with our personal data. While I don't agree with many of Facebook's decisions, the entitlement of its users is what really astounds me."

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing