A Sunday Times report has accused Facebook of having access to its mobile app users’ text messages, according to Read Write Web. Facebook, in a response to an article on Business Insider on the matter admits that it does have read/write access to SMS messages, but that it’s not doing anything with that access.
Facebook said that it wanted access in order to test its own messaging service, and that permissions granted to Facebook by the user when installing the app are clearly explained on the Android marketplace page. And that they are. In the Permissions tab, Facebook says installation gives its app permission to
Send SMS messages
Allows application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.
Edit SMS or MMS
Allows application to write to SMS messages stored on your device or SIM card. Malicious applications may delete your messages.
Allows application to receive and process SMS messages. Malicious applications may monitor your messages or delete them without showing them to you.
Read SMS or MMSAllows application to read SMS messages stored on your device or SIM card. Malicious applications may read your confidential messages.
The reason it is on there is because we have done some testing (not with the general public) of products that require the SMS part of the phone to talk to the Facebook App. That's what the read&write refers to – the line of communication needed to integrate the two things.
Lots of communications apps use these permissions. Think of all those apps that act as replacements to the build-in sms software.
That's not necessarily what we're working on. SMS can be used for carrier billing (where users opt to pay for things like apps through their phone bill). Again – that's not to say we're launching this. It's just an example of why an app might use these permissions. The Sunday Times leapt to the conclusion that is was a messaging feature.
So the takeaway from that is that yes, Facebook’s app can access your SMS messages, both to read and to write them, but it’s all ok because they’re not using it yet. That’s like a serial arsonist smiling sweetly and saying that yes, they can totally be trusted with a box of matches, a blow torch and a bottle of acetylene. Facebook have form when it comes to invading their users’ privacy. Why should we trust them?
It’s well known that most users don’t bother to read about the permissions they are granting, and it’s likely that most don’t even care what apps can do with their data. But when it comes to texts, we should be much more sensitive. Anyone who is tech-savvy knows that emails can be hacked, that spammers and phishers pretend to be someone they are not, and slowly we are managing to teach that to those who are less experienced or less tech-worldly-wise. But texts are still assumed to have been sent by the person that the text says it is from, and it would be foolish for us to allow companies to even think about undermining that.
Of course, Facebook isn't the only company to want access to information on your phone that you might have thought was private and protected. A recent furore saw social app Path have to apologise for accessing its users iPhone address books. Path wasn't alone, it seems this was common practice, said VentureBeat:
Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp, and Gowalla are among a smattering of iOS applications that have been sending the actual names, email addresses and/or phone numbers from your device’s internal address book to their servers, VentureBeat has learned. Several do so without first asking permission, and Instagram and Foursquare only added permissions prompts after the Path flare-up.
Some of these companies deny storing the personal data, as Path was doing, but the transmission alone makes the private data susceptible to would-be intercepters.
After these revelations, and an apology from Path, several companies cleaned up their acts, but not before two members of the US Congress wrote to Apple asking it for more information on the privacy breach. For its part Apple said it was changing its terms and that developers would have to ensure apps explicitly asked permission before accessing a user's address book.
Will the ability of Facebook's app to access SMS cause a similar fuss? Facebook has a history of pushing the limits of what is acceptable to users when it comes to their privacy, but until we know what they are planning it's impossible to know how far they are going this time. It would be nice to think that this is all a storm in a teacup, but it’s not just about what Facebook itself does, it’s about what’s open to developers that create their own apps for the Facebook platform. We know that some of them have even fewer scruples than Facebook, and we need to look very hard at what third party apps are doing with your SMS.
As Facebook’s app permissions say, “Malicious applications may delete your messages… Malicious applications may monitor your messages or delete them without showing them to you…. Malicious applications may read your confidential messages.” How lucky are you feeling today?
Published Date: Feb 28, 2012 05:44 pm | Updated Date: Feb 28, 2012 05:47 pm