Facebook denial makes more clear its power to spy on Android texts, phone calls

'Times' story mistakes 'could spy' for 'is spying;' Facebook splits hairs on what 'spying' means

Facebook is now denying it uses its free Android app to spy on text messages sent by Android users who are also Facebook subscribers.

Facebook had confirmed the snooping in a story that ran yesterday in the London Sunday Times (registration required).

The story – one of many highlighting how the broad access rights granted to many Android apps could make users' activity far more public than they think – was prompted by apps from Facebook, Yahoo, Flickr and Google, which install themselves with the right to access SMS messages and other supposedly private functions.

Some apps can even intercept and eavesdrop on phone calls, while others such as YouTube's are able to take over control of an Android phone's camera to broadcast video or take photos at any time, the Times story said.

The Times quoted Facebook sources as saying the company did not routinely monitor private text messages, but was running a limited project under which it did so as part of a trial before the launch of its own message service.

That is a gross misinterpretation of the Android permissions the Facebook app assumes, Facebook's intentions toward Android customers and of what Facebook told the Times, according to a refutation of the story posted by Facebook spokesperson Iain Mackenzie.

Sure we CAN read your texts; but we DON'T. Not yet.

Facebook's Android app does take permission to read and write SMS messages, but doesn't use those functions currently except for a very limited trail of new functions that use SMS to transport billing, confirmation and other messages to Facebook, not to intercept text messages to or from users, Mackenzie wrote.

Facebook may eventually use SMS functions more widely. If it does, Mackenzie wrote, it will notify end users that it is doing so, just as it notified them that the current version of the app has permission to access text messages, even though it doesn't.

In a survey that ran with the Times story, 70 percent of Android users said they were not aware of the extent of the rights apps acquire to their text messages.

Weak excuses for demanding the right to snoop

It is entirely believable that the Times story misinterpreted the subtle difference between Facebook giving itself permission to read and write text messages and its current statement that it does not actually read the messages.

Saying Facebook can covertly monitor the content and targets of user text messages but chooses not to do so is not only a weak explanation, it's one that exacerbates the sense of end users that Facebook has abused its potential to invade their privacy in the past and will continue to do so whenever possible in the future.

Refusing to allow users to delete data, appearing to allow the deletion but secretly retaining the private data, connecting pictures and other content to the accounts of particular users without their permission are just a few of the clever, intrusive ways Facebook has abused the trust and data of users in the past.

It has done nothing to reassure anyone that a company whose business model is built on exploiting the private data of users has now become conscientious about privacy.

Having a vendor like invasion-of-privacy trendsetter Facebook demand the right to read and write text messages one or two version releases before it's ready to do anything with that permission does nothing to make anyone more confident in Facebook's restraint.

Google's admission last week that it had bypassed privacy functions in Safari and other browsers just reinforces the perception that online services whose revenue comes mainly from advertising will covertly monitor the activity of customers whenever they think they can get away with it.

Without more information from the Times about what information its reporters got from Facebook, what information it had to reinforce or contradict that information and how it reached its conclusions, there's no certain way to say whether or how badly the Times mangled the truth about how Android apps use their SMS access.

It does nothing to make the Times story less disturbing, however, that most of Facebook's objections could be dealt with simply by changing a few references from reading "is spying" to "could be spying" on the text messages of customers.

Especially in tech companies filled with people curious about what their customers are doing, eager to see if cool new search or networking tools work or network managers eager to estimate the speed and volume of Android text networks, the difference between "are" monitoring and "could be" monitoring is a lot narrower than anyone at Facebook appears willing to admit.

According to Mackenzie, Facebook's confirmation consisted of the following:

    Facebook explainer sent to Sunday Times, acc to Iain Mackenzie:
  • Facebook is currently running a limited test of mobile features which integrate with SMS functionality.
    • SMS read/write is not currently implemented for most users of the mobile app.
    • As part of this test, we declared the presence of that functionality within our app store permissions starting with the 1.7 version of our application.
    • If Facebook ultimately launches any feature that makes use of these permissions, we will ensure that this is accompanied by appropriate guidance/educational materials.

Resulting writeup in the paper:

"Companies are using smartphone apps to extract vast quantities of private information about users’ lives, in some cases reading their text messages and intercepting calls.

"Among those that admitted reading text messages this weekend was the internet giant Facebook, which said it was accessing the information as part of a trial to launch its own messaging service.

Facebook Android App Texting Permissions:

This application has access to the following:

    Your messages:

  • Edit SMS or MMS: Allows application to write to SMS messages stored on your device or SIM card. Malicious applications may delete your messages.
  • Receive SMS: Allows application to receive and process SMS messages. Malicious applications may monitor your messages or delete them without showing them to you.
  • read SMS or MMS Allows application to read SMS messages stored on your device or SIM card. Malicious applications may read your confidential messages:
  • send SMS messages:Allows application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.

    Your Personal Information:

  • read contact data: Allows an application to read all of the contact (address) data stored on your device. Malicious applications can use this to send your data to other people.
  • Write contact data: Allows an application to modify the contact (address) data stored on your device. Malicious applications can use this to erase or modify your contact data.
  • Phone calls: Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon