Facebook has recently spun off its popular messaging service into a standalone app. That’s probably a good thing because it was exceedingly clumsy to access messages in the most recent versions of the app (at least on Android). Facebook has been trying to get people to migrate their late-night digital pillow talk to the new app for a while now and things seemed to be going smoothly until recently. An alarmist blog entry on Huffington Post (naturally) from December 1, 2013 has been circulating recently and stirring up paranoia, claiming the app is merely a tool for snooping on you in your most private moments. I’ve been writing about the problem of egregious Terms of Service and sneaky adhesion contracts in apps and other services for a while now, but sometimes I feel the need to set the record straight when there’s actually no problem at all. This post about Facebook Messenger is alarming, sensational and entirely… WRONG!
The alarmist premise of the post is that Facebook Messenger declared a host of insidious permissions (that you didn’t read) when you installed it and now, Mark Zuckerberg can personally use your phone to spy on you at any time. The author believes this is possible because the permissions are vaguely worded about what they do and when they can be activated. These permissions include such abilities as:
- Allows the app to change the state of network connectivity
- Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Malicious apps may cost you money by making calls without your confirmation.
- Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation.
- Allows the app to record audio with microphone. This permission allows the app to record audio at any time without your confirmation.
- Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.
- Allows the app to read you phone’s call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.
- Allows the app to read data about your contacts stored on your phone, including the frequency with which you’ve called, emailed, or communicated in other ways with specific individuals.
- Allows the app to read personal profile information stored on your device, such as your name and contact information. This means the app can identify you and may send your profile information to others.
- Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
- Allows the app to get a list of accounts known by the phone. This may include any accounts created by applications you have installed.
If you’ve just watched a Jason Bourne movie marathon, maybe you could be forgiven for allowing your imagination to run wild with what all these things mean, but the reality is much less frightening. Google, the creator and purveyor of Android, the world’s most popular (by number of active devices) smartphone operating system, has required apps to declare what they can do with your phone for several years in an effort to make apps MORE transparent. Permissions identify and briefly explain what the app can do, so if an app declares that it has the ability to use your phone’s microphone, that’s so you can make calls, record and send an audio message or do other things at your request without asking you each time, “may I access the microphone?”
The permissions sound nefarious because they are written with extraordinarily vague language that is easy to twist into something that sounds evil. This is only because Google writes one set of permissions and expects app developers to just check off the ones that their app uses and just leave it at that. These general provisions are then presented to users when they go to download the app. An app that declares that it allows the app to call phone numbers without your intervention does not mean that it can–or will–do this at ANY time, but rather means that when you ask it to place a wi-fi call, you don’t need to click ten different boxes allowing the app to access the speaker and the microphone and your contacts and prevent your phone from turning off and a bunch of other things and then making you go through it all again the next time. It’s all rather common sense, and sure, there are probably people who wish they could pick and chose like that, but that’s a tiny fraction of the populace. Many developers are now taking the extra step of saying what they do with their permissions in their app’s description on the Play Store, and there’s talk that Google might tweak how it handles permissions in the next version of Android, but until then, don’t freak out.
If you want to read more about what some permissions do (and don’t do), take a look at this post from a much more informed writer from Android Central.